Of all the weird and wonderful excuses I've seen for Web sites and downloads being insecure, I don't think I've ever seen someone claim that using TLS "opens us up to the TLS/SSL server and client side vulnerabilities". Opens us up compared to what, exactly? If you mean that an attacker could take advantage of a briefly-known TLS library vulnerability (like Goto Fail) to MITM the HTTPS download, remember that *they can already do that right now all the time* with HTTP downloads.
As far as I know Ubuntu isn't served using a CDN, and even if it was, plenty of CDNs provide HTTPS. And I'm well aware that requiring HTTPS would make mirroring more difficult, but in the equivalent RT I suggested that Let's Encrypt could be a solution to that. <https://letsencrypt.org/> GPG-signed checksums might have been relevant in the first few months of Ubuntu's existence, when you could reasonably expect that a large proportion of downloaders would (a) bother to check them at all and (b) have the faintest idea what a "GnuPG web of trust" was. But neither of those has been remotely true for over a decade. "Incomplete" is for bug reports that lack enough information to reproduce them. If that applies to this report, please let me know. ** Changed in: ubuntu Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1359836 Title: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1359836/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
