** Description changed:

- 1. Go to <http://www.ubuntu.com/>.
+ 1. Go to <https://www.ubuntu.com/>.
  2. Follow the most obvious route to download the recommended version of 
Ubuntu for PC.
  
  What happens: You end up downloading Ubuntu over HTTP.
  
  What should happen: The download is over HTTPS.
  
  An attacker with sufficient savvy and bandwidth could MITM your local
  Ubuntu mirror, serving you an ISO of something that looked and worked
  like Ubuntu but did all kinds of nefarious things.
  
  The equivalent for software updates is bug 1186793.
  
  Discussed on ubuntu-devel-discuss@ in September 2015.
  <https://lists.ubuntu.com/archives/ubuntu-devel-
  discuss/2015-September/thread.html#15819>
  
  [Originally reported by Tony Webster of "HTTP Shaming".
  <http://httpshaming.tumblr.com/post/95277096082/problem-1-the-iso-for-
  ubuntu-is-downloaded-via>]

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1359836

Title:
  Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1359836/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to