Em 16-11-2015 13:59, Danny Nguyen escreveu: > I hope these are not dumb questions. > > Would sftp (secure ftp) be a better alternative than ftp?
Which "secure ftp" you're referring here? SSH's sftp or ftps? Because if it's the latter, then I'd say it wouldn't be a better alternative. ftp is ftp. Putting a TLS layer on top of it won't change the most hated things about the protocol. And, using SSH's sftp has the added complexity of host keys to the mix. Do you expect that the OpenBSD team would manage all ssh host keys for all the sftp mirrors and put them on the install media? And what if one of them changes? > What was the > logic to remove that option on the network install versus http? is there > even a benefit for the mirrors to be on https (secure http) vs http and > would that allow for a verified download like the openbsd compact disks? You are mixing things here. You can verify any download from any OpenBSD mirror regardless of protocol (ftp, http). Last I checked, there weren't any https OpenBSD mirrors. > I > always got really concerned when the install prompted me that "Directory > does not contain SHA256.sig. Continue without verification?" before > actually using official openbsd compact dics. My intent is to assess the > strengths and weaknesses of the protocols being discussed and comparing > them with respect to security. This has been answered on this list many times. If you're really concerned, verify your disks manually, or perform a network install. My suggestion? Buy the CD's (or donate) to help the project. But perform the installation using a USB stick. As far as weakness and strengths of the protocols, they are quite irrelevant for the OpenBSD installation. Everything is signed using signify. The transfer medium can (and is) be unencrypted. Of course this pretty much means anyone listening knows you're downloading/installing OpenBSD. If your concern is this, then you'll need to figure it for yourself how to hide the fact that you're installing OpenBSD. Cheers, Giancarlo Razzolini
