Credit to Peter Mahnke and others on Canonical’s Web & Design team for converting ubuntu.com to HTTPS, and separately for embedding the exact verification terminal command — with checksum included, and even a Copy button! — on the (now-HTTPS) “Thank you” page when downloading standard LTS-desktop, latest-desktop, LTS-server, and latest-server images. (I’m now on that team, but I wasn’t involved in that work, and opinions here are my own.)
The instructions as written don’t work on macOS or other BSDs, Chrome OS, or (without great effort) Windows, but those are fixable. And releases.ubuntu.com, cloud-images.ubuntu.com, old-releases.ubuntu.com, and mirror file listings are still HTTP with no verification instructions, though people using those sites are perhaps more willing and able to work it out for themselves. However, the current verification system can’t protect, *in a way that HTTPS would*: * people not willing/bothering to run the verification command (probably the biggest category) * Windows users not knowing/willing/able to install either Microsoft File Checksum Integrity Verifier or, as suggested in the linked tutorial, Ubuntu for Windows (download a second copy of Ubuntu just to verify your download of the first copy? really?) * Windows S Mode users not knowing/willing to switch out of S Mode. Of course, as Thomas wrote, “the attacker could create a new mirror … perfectly secured via https”. (Though if they did, at the very least, we’d remove them from the list of mirrors!) Or they could attack your browser’s key store such that it trusts shonky certificates, or engage in corporate sabotage, or find an SSL zero-day like Dimitri mentioned, or, or, or … The point here is not to protect against every possible attack. The point is to reduce the attack surface. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1359836 Title: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1359836/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
