In respect to the above discussion TJ posted: Please be aware that https-securing mirrors does in fact not necessarily increase the trustworthyness of the download. Reason:
An attacker could compromise a mirror's downloads (e.g. via stolen credentials or via MITM while the mirror downloads via http) or the attacker could create a new mirror. The mirror would be perfectly secured via https. Accordingly, compromised checksums would be provided via e.g. the mirror as well. And the attacker's malware would just be downloaded via https, even the https-downloaded checksums of the mirror would seem right. On the side of the victim, this can lead to a false sense of security. Instead, the _producer_ of the software must give the commitment which checksum is right, not some random guy (e.g. a mirror). Consequently, the downloading person must check checksums against the checksums the _producer_ provided - and not only check checksums but also check the trustworthyness of the _origin_ of these checksums. Consequently, the checksums should be provided via a https-secured domain or at least subdomain of the _producer_ (e.g. https://www.ubuntu.com/...). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1359836 Title: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1359836/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
