** Description changed: 1. Go to <http://www.ubuntu.com/>. 2. Follow the most obvious route to download the recommended version of Ubuntu for PC. What happens: You end up downloading Ubuntu over HTTP. What should happen: The download is over HTTPS. An attacker with sufficient savvy and bandwidth could MITM your local Ubuntu mirror, serving you an ISO of something that looked and worked like Ubuntu but did all kinds of nefarious things. The equivalent for software updates is bug 1186793. + Discussed on ubuntu-devel-discuss@ in September 2015. + <https://lists.ubuntu.com/archives/ubuntu-devel- + discuss/2015-September/thread.html#15819> + [Originally reported by Tony Webster of "HTTP Shaming". <http://httpshaming.tumblr.com/post/95277096082/problem-1-the-iso-for- ubuntu-is-downloaded-via>]
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1359836 Title: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1359836/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
