Since I reported this bug, Web browsers have started encouraging HTTPS adoption in several ways, one of which is flagging as “Not secure” more and more uses of HTTP: pages with password fields or payment card number fields, pages with any input fields at all, pages loaded in private/incognito windows, and eventually all HTTP pages.
So far, I’ve not seen these plans mentioning HTTP files downloaded from HTTPS pages. But if attacks like the one Thomas linked above increase, that may change. Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1303739 Chromium/Chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=739090 Of course, Ubuntu downloads shouldn’t be secure just to avoid embarrassment from browsers; they should be secure to help keep users safe. ** Bug watch added: Mozilla Bugzilla #1303739 https://bugzilla.mozilla.org/show_bug.cgi?id=1303739 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1359836 Title: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1359836/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
