[Bug 1464064] Re: Ubuntu apt repos are not available via HTTPS
Proof of Concept: https://twitter.com/yungtravla/status/1013275701078683648 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1464064 Title: Ubuntu apt repos are not available via HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1464064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1464064] Re: Ubuntu apt repos are not available via HTTPS
Is it me or are the people who defend Ubuntu's lack of security deliberately avoiding the issue? The checksums and ISO files on releases.ubuntu.com and archive.ubuntu.com (and possibly more) are 100% vulnerable to MITM attacks for *NON-APT USERS*. Do not assume that the entire world is using APT... In fact, the MAJORITY of people who downloaded Ubuntu did so using their browser. All these people are at risk of running a compromised Ubuntu installation. You had the chance to fix this issue 3 years ago... I don't know what else to say. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1464064 Title: Ubuntu apt repos are not available via HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1464064/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1779524] Re: Insecure Ubuntu repos pose risk to all non-APT users
In response to Launchpad's message: "Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it." Please be advised that this bug affects all Ubuntu distributions, not just one single package. I stress that you watch the PoC (Proof of Concept) which I included in my first report. I will include it here once again: https://twitter.com/yungtravla/status/1013275701078683648 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1779524 Title: Insecure Ubuntu repos pose risk to all non-APT users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1779524/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1779524] [NEW] Insecure Ubuntu repos pose risk to all non-APT users
Public bug reported: affects ubuntu Ubuntu has improperly configured their TLS. So improper that everything BUT their downloads are secured with TLS. This poses a serious risk to all non-APT users (majority of the people on this planet), as the checksums and ISO files are exposed over HTTP, and can be modified by MITM attackers, ISPs, and basically any node in the route. Please see my proof of concept here: https://twitter.com/yungtravla/status/ 1013275701078683648 *Problem identified on 30/06/2018 by Yarwin Kolff* ** Affects: ubuntu Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1779524 Title: Insecure Ubuntu repos pose risk to all non-APT users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1779524/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs