This attack is now much less theoretical. Yesterday, someone really did backdoor the ISOs for a Linux OS, specifically Linux Mint, and also altered its Web site to point to the backdoored ISOs. <http://news.softpedia.com/news/linux-mint-website-hack-a-timeline-of- events-500719.shtml>
Unfortunately the developers were still using MD5 checksums, but even if they had been using a more secure checksum, the attacker altered the checksums on the Web site too. <http://blog.linuxmint.com/?p=2994#comment-125064> This particular attack apparently happened via a WordPress installation. Switching to HTTPS would not have prevented someone from attacking WordPress. But it would prevent someone from achieving the same result via MITM without having to alter the Ubuntu Web site at all. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1359836 Title: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1359836/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
