Public bug reported: affects ubuntu
Ubuntu has improperly configured their TLS. So improper that everything BUT their downloads are secured with TLS. This poses a serious risk to all non-APT users (majority of the people on this planet), as the checksums and ISO files are exposed over HTTP, and can be modified by MITM attackers, ISPs, and basically any node in the route. Please see my proof of concept here: https://twitter.com/yungtravla/status/ 1013275701078683648 *Problem identified on 30/06/2018 by Yarwin Kolff* ** Affects: ubuntu Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1779524 Title: Insecure Ubuntu repos pose risk to all non-APT users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1779524/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
