From: shaclacroi <shaclac...@fastservice.com> --===============4246186708895111201== Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div> <div>Louis,</div> <div> </div> <div>There are a few important points to make in response to what you said ....</div> <div> </div> <div>1) We're not talking about merely browsing; we're talking about downloading and verifying software that will run on your computer. Without verification information being provided over https, there's absolutely no protection from a man-in-the-middle causing you to download a maliciously compromised version of the software from another server.</div> <div> </div> <div>2) Apart from locally installed software or configuration (which you are responsible for and implicitly trust on your own computer), the examples of man-in-the-middle possibilities you list are ones that are protected by using https. That is, if I were going to download and verify FreeDOS, I would ensure that the verification checksums were served over https. When I attempted to load the checksums over https, if a captive portal intercepted the request, my browser would inform me that the MiTM doesn't have a matching certificate (unless my browser has been specially configured to trust the certificate of that captive portal, which means either I did it or I'm using some other organization's computer and accept the consequences). Additionally, a gateway cannot inspect or inject content going through https unless the computer initiating the request is specially configured to trust certificates created by that gateway, so if one that hasn't been trusted tries, you get a browser error just the same. DNS forgery would result in the same -- your browser would tell you that the server you're connecting to doesn't have a matching certificate. Proxy content injection -- same story. These are all examples of where user vigilance in ensuring they are getting the verification information over https protects the user from a MiTM attack. On the other hand, your browser and extensions you use could indeed modify the contents of https communcations -- but this is locally installed and configured software that the user has chosen to trust.</div> <div> </div> <div>The certificate system isn't perfect, but it's considerably better than nothing.</div> <div> <div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"> <div style="margin:0 0 10px 0;"><b>Sent:</b> Sunday, January 15, 2017 at 12:43 AM<br/> <b>From:</b> "Louis Santillan" <lpsan...@gmail.com><br/> <b>To:</b> "Discussion and general questions about FreeDOS." <freedos-user@lists.sourceforge.net><br/> <b>Subject:</b> Re: [Freedos-user] verification checksums should be served over https</div> <div name="quoted-content">I would not be lured into a false sense of security provided by<br/> browser makers and their insistence that the safest form of browsing<br/> is over HTTPS. You can still be easily MITM'd with captive portals,<br/> gateway content inspection/injection, DNS forgery, via proxy content<br/> injection, your ad blocker or browser extensions profile and probably<br/> another half dozen easily implemented exploits. Heck, your browser<br/> can even become part of the MITM exploit.<br/> <br/> I'll intentionally misquote a saying I've heard about rules & law;<br/> "[Encryption standards] aren't made to keep the bad guys out; they're<br/> made to keep the good guys in."<br/> <br/> <br/> On Sat, Jan 14, 2017 at 11:21 AM, shaclacroi <shaclac...@fastservice.com> wrote:<br/> > The download page links to checksums at<br/> > <a href="http://www.freedos.org/download/verify.txt"; target="_blank">http://www.freedos.org/download/verify.txt</a> -- but since this page isn't<br/> > available over https, there's no way to confirm the validity of the<br/> > checksums, since the page could be intercepted and modified by a<br/> > man-in-the-middle attacker<br/> > (<a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack"; target="_blank">https://en.wikipedia.org/wiki/Man-in-the-middle_attack</a>).<br/ ><br/> > As free secure https certficates are now offered by Let's Encrypt<br/> > (<a href="https://letsencrypt.org/"; target="_blank">https://letsencrypt.org/</a>), it may be advisable to get https set up for<br/> > <a href="http://www.freedos.org"; target="_blank">www.freedos.org</a>.<br/> ><br/> > Alternatively, as I see your hosted on Amazon Web Services, if you're using<br/> > Elastic Load Balancing or Amazon CloudFront, Amazon's Certificate Manager<br/> > also offers free https certificates.<br/> ><br/> > Let me know if I can be of any help.<br/> ><br/> > ------------------------------------------------------------------------------<b /> > Developer Access Program for Intel Xeon Phi Processors<br/> > Access to Intel Xeon Phi processor-based developer platforms.<br/> > With one year of Intel Parallel Studio XE.<br/> > Training and support from Colfax.<br/> > Order your platform today. <a href="http://sdm.link/xeonphi"; target="_blank">http://sdm.link/xeonphi</a><br/> > _______________________________________________<br/> > Freedos-user mailing list<br/> > Freedos-user@lists.sourceforge.net<br/> > <a href="https://lists.sourceforge.net/lists/listinfo/freedos-user"; target="_blank">https://lists.sourceforge.net/lists/listinfo/freedos-user</a><br > ><br/> <br/> ------------------------------------------------------------------------------< r/> Developer Access Program for Intel Xeon Phi Processors<br/> Access to Intel Xeon Phi processor-based developer platforms.<br/> With one year of Intel Parallel Studio XE.<br/> Training and support from Colfax.<br/> Order your platform today. <a href="http://sdm.link/xeonphi"; target="_blank">http://sdm.link/xeonphi</a><br/> _______________________________________________<br/> Freedos-user mailing list<br/> Freedos-user@lists.sourceforge.net<br/> <a href="https://lists.sourceforge.net/lists/listinfo/freedos-user"; target="_blank">https://lists.sourceforge.net/lists/listinfo/freedos-user</a></d v> </div> </div> </div> <div> </div> <div class="signature"> </div></div></body></html> --===============4246186708895111201== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi --===============4246186708895111201== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Freedos-user mailing list Freedos-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freedos-user --===============4246186708895111201==-- --- Internet Rex 2.29 * Origin: capcity2.synchro.net - 502/875-8938 (1:2320/105.99) --- * BgNet 1.0b12 = CCO * KY/US * 502/875-8938 * capcity2.synchro.net --- Synchronet 3.15a-Linux ListGate 1.3 * Capitol City Online - Frankfort, KY - telnet://capitolcityonline.net ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Freedos-user mailing list Freedos-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freedos-user
