*** This bug is a security vulnerability *** Public security bug reported:
ubuntu offers an overview to get hashes of download files at https://help.ubuntu.com/community/UbuntuHashes (via HTTPS). It then takes me to http://releases.ubuntu.com (via HTTP). Which then takes me to e.g. http://releases.ubuntu.com/15.10/ (via HTTP). Which then takes me to e.g. http://releases.ubuntu.com/15.10/SHA256SUMS (via HTTP) which finally contains the hashes. This HTTP resource is not protected against MITM attackers. Basically that means that when MITM is able to compromize the download, MITM should also be able to compromize the hashes I want to test against. There is also no HTTPS-secured representation of these hashes available (e.g. http://releases.ubuntu.com/15.10/SHA256SUMS). But there's a http://releases.ubuntu.com/15.10/SHA256SUMS.gpg signature while it is not mentioned in the web pages above, how this can be used to mitigate MITM attacks or who is finally authorized to sign something in the name of ubuntu and which is his or her pgp public key. I remember that there was once a HTTPS-secured web page containing all the hashes for at least the ubuntu 14.04.x downloads. I think this was really straight forward: Get the hash from a trusted source (via https) and compare with the hash of the download. In that sense, I consider the current state as a regression. ** Affects: add-apt-key (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1534967 Title: ubuntu distro hashes insecure against MITM attacks (when not using GPG) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/add-apt-key/+bug/1534967/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
