@seth-arnold There we go and let an imaginary grandma (she's a non-DD) verify an ubuntu ISO image via gpg. Of course, she will know by herself which DSA key IDs are trusted and not just extract the (MITM-compromised) IDs from the (MITM-compromised) SHA256SUMS.gpg as described in https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify-ubuntu#3 The attacker then can't trick our grandma in verifying the (MITM- compromised) ubuntu ISO. Bravo.
I cite: "This is actually a really useful message, as it tells us which key or keys were used to generate the signature file. [...] Knowing these ID numbers [...], means we can request them from the Ubuntu key server.". No way, it's NOT useful at all. We don't want to see the MITM's DSA key IDs when processing a MITM-compromised SHA256SUMS.gpg file. We don't want to download the attackers keys via hkp and never ever do we want to verify the MITM-compromised our ISO using the attacker's keys. I was just revisiting the download dialogue. For me, this whole discussion turned into an academic one because when starting the download, the user _now_ gets shown an ubuntu-domain-https-secured checksum for the download. Hooray. It's that simple. That is pretty much what I was waiting for for years - and something we already had a couple of years ago. https://www.ubuntu.com/download/desktop/thank- you?country=DE&version=18.04.2&architecture=amd64 For the downloads themselves, https only makes downloads from ubuntu domain trustworthy. For mirrors, verification via trustworthy checksums is still needed, be it with http or https downloads from a (non-trusted) mirror. Still, having https for mirrors protects from MITM attacks between user and mirror. When users leave out the verification (out of lazyness or lack of knowledge), this can still mitigate a portion of the attacks which would have been successful otherwhise. But there's no guarantee any more. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1359836 Title: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1359836/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs