Thanks for pointing out those servers. On a practical level I don't really see how it helps though, because I don't see a realistic way of getting the certificate of SPI onto my computer.
> You've downloaded a bunch of certificates that came with your web browser. > Why do you trust them? > As I pointed out above there are many problems associated with https. Trusting the root certificates is one of those. Still the level of trust I have in them comes from: a) getting them shipped to me in a "secure" or at least "somewhat secure" way (which is the whole point of this thread, remember) b) some trust in the certification authorities and everyone that is supposed to check them, like auditors and browser/OS developers c) some trust in developers that store and distribute them, like browser/OS developers to do that in a safe way Admitted that is not much trust, but it is definitely more than plain http. Especially considering that an attacker must have it all setup beforehand. Downloading a linux distro does not leave sensitive traces afterwards. It's all about the moment of download. Currently I'm installing fedora, because it seems that that is as good as it gets with https. Their site is very neat and informative in verifying their downloads, it all comes over certified https even extra tools like the liveusb-creator. This gives me at least a higher sense of trust than the current debian situation. greetz naja melan
