Here's a perfect illustration how NOT to protect against MITM: http://www.system-rescue-cd.org/Download/
Assumed, the attacker _can_ attack via MITM, then 1. the attacker can let the download link point somewhere else (e.g. to a compromised download). 2. the attacker can _also_ show a checksum which was calculated for the compromised download but would be wrong for the original download. The victim successfully checks compromised download against compromised checksum and everything seems fine. For the scenario described in my previous comment, replace MITM attacker with "mirror" and trust is gone pretty much in the same manner. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1359836 Title: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1359836/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs