A similar problem exists for UNetbootin, one of the primary install vehicles for GNU/Linux operating systems. In March of this year, I noticed the problem and forwarded it to Kevin Gallagher who wrote it up well on Github as a ticket. It's still an open ticket!
https://github.com/gkovacs/unetbootin/issues/9 Here's Kevin's write-up: === UNetbootin is one of the primary install vehicles for GNU/Linux operating systems. Ergo, it requires a high level of trust. Given what we know, this project absolutely needs to adopt more secure and verifiable means of delivering the binaries. Currently, users have no way to know whether backdoors are being inserted into their installation media by the NSA or GCHQ or another advanced adversary via compromise of UNetbootin with MITM, HTTP/DNS or browser exploits. Your downloads http://sourceforge.net/projects/unetbootin/files/UNetbootin/585/ are not signed, but there are SHA1 and MD5 checksums available. Yet these too are served over plain HTTP so could be modified in transit. Please come up with a key and start signing the files with it, and also secure the SourceForge project page http://sourceforge.net/projects/unetbootin with an SSL certificate, and force HTTPS. === On 07/01/2013 12:40 PM, adrelanos wrote: > Originally posted on Tails-dev by Jacob Appelbaum. Interesting, > important topic. Thanks! I took the freedom to forward it to > liberationtech, since one of the topics lately was "the tool doesn't > exist". Just as reference. > > -------- Original Message -------- > Subject: [Tails-dev] download over http by default? > Date: Sun, 30 Jun 2013 00:46:27 +0000 > From: Jacob Appelbaum <[email protected]> > Reply-To: The Tails public development discussion list <[email protected]> > To: The Tails public development discussion list <[email protected]> > > Hi, > > When upgrading a tails machine today, I noticed that the default > download link is HTTP. We've done some statistics on the number of users > that actually bother to download signatures - it basically borders on > none for some software. Does Tails find that for every ISO, users > download the signature? Ten to one? Perhaps one out of ever thousand > downloads? > > I really strongly encourage that the default download link should be > secure - if there was a tool to download updates and it automatically > checked the signatures, I'd think it was perhaps OK to use HTTP. > Probably not but well, I could at least believe that someone might > complete both steps. Without such a tool, I think this is merely a > recipe for disaster. > > We carry a secure mirror here: > > https://archive.torproject.org/amnesia.boum.org/tails/stable/ > > If you guys can't handle HTTPS traffic, I really encourage you to link > to our HTTPS site as the default. If nothing else, I believe that some > browsers also pin our certs. That at least changes the game to something > a bit harder. > > All the best, > Jacob > _______________________________________________ > tails-dev mailing list > [email protected] > https://mailman.boum.org/listinfo/tails-dev > > > > > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at [email protected] or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech > -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
