[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2020-08-14 Thread Joel Sing
A correction to my previous comment - download links to releases.ubuntu.com are HTTPS, however download links to cdimage.ubuntu.com still need to be updated. Once this is complete the bug can be marked as fixed. -- You received this bug notification because you are a member of Ubuntu Bugs, which

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2020-08-14 Thread Joel Sing
Download links from ubuntu.com have been redirecting to HTTPS (for sometime now). Additionally, cdimage is now also available over HTTPS: https://cdimage.ubuntu.com/ I believe this bug can now be marked as fixed. -- You received this bug notification because you are a member of Ubuntu Bugs,

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2020-04-20 Thread Joel Sing
As a heads up, releases is now available over HTTPS: https://releases.ubuntu.com/ Additionally, the CD mirrors list on Launchpad now also includes https entries where supported: https://launchpad.net/ubuntu/+cdmirrors -- You received this bug notification because you are a member of

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2020-02-08 Thread Thomas Mayer
For the record in terms of Google's Chrome browser: Google announced that they plan to block http downloads when the user comes from a https page. Source: https://www.xda-developers.com/google-chrome-block-insecure- downloads-https-pages/ -- You received this bug notification because you are a

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2019-06-13 Thread Thomas Mayer
@mpt There's also non-public mirrors in the field which have never been on the list of mirrors. And never will be. For public mirrors on the list, how would Canonical know about a compromised mirror _before_ a victim downloads from it? I'm still very happy with having https'ed mirrors, because

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2019-06-13 Thread Matthew Paul Thomas
Credit to Peter Mahnke and others on Canonical’s Web & Design team for converting ubuntu.com to HTTPS, and separately for embedding the exact verification terminal command — with checksum included, and even a Copy button! — on the (now-HTTPS) “Thank you” page when downloading standard LTS-desktop,

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2019-06-05 Thread Thomas Mayer
@seth-arnold There we go and let an imaginary grandma (she's a non-DD) verify an ubuntu ISO image via gpg. Of course, she will know by herself which DSA key IDs are trusted and not just extract the (MITM-compromised) IDs from the (MITM-compromised) SHA256SUMS.gpg as described in

Re: [Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2019-06-04 Thread Seth Arnold
On Wed, Jun 05, 2019 at 12:13:54AM -, Thomas Mayer wrote: > I'd like to sum it up like this: Users should _download_ from a mirror > but they should neither _trust_ the download of the mirror nor the > checksums a mirror provides. Users can trust checksums provided by mirrors because we

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2019-06-04 Thread Thomas Mayer
I'd like to sum it up like this: Users should _download_ from a mirror but they should neither _trust_ the download of the mirror nor the checksums a mirror provides. It's even the other way round: Having mirrors in the game makes it _even more_ important that checksums are provided by Canonical

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2019-06-04 Thread Thomas Mayer
Here's a perfect illustration how NOT to protect against MITM: http://www.system-rescue-cd.org/Download/ Assumed, the attacker _can_ attack via MITM, then 1. the attacker can let the download link point somewhere else (e.g. to a compromised download). 2. the attacker can _also_ show a checksum

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2019-06-04 Thread Thomas Mayer
In respect to the above discussion TJ posted: Please be aware that https-securing mirrors does in fact not necessarily increase the trustworthyness of the download. Reason: An attacker could compromise a mirror's downloads (e.g. via stolen credentials or via MITM while the mirror downloads via

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2019-06-04 Thread TJ
Additional, more positive, discussion. 12:59 or just relax the policy and let us get LE certs outselves, just like for all the other names 13:00 maybe we could do that if we registered a new domain name 13:01 I'll bring it up again soon 13:03 the problem is we round robin mirrors under

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2019-06-04 Thread TJ
Followed up on this today. No joy. IRC log from #ubuntu-hardened: 12:37 Could we revisit Bug #1359836 ? At the very least the checksum files should require HTTPS because most new users have no idea (nor sometimes, facility) to verify using GPG - think Windows users coming to Ubuntu. This

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2018-03-13 Thread Matthew Paul Thomas
Since I reported this bug, Web browsers have started encouraging HTTPS adoption in several ways, one of which is flagging as “Not secure” more and more uses of HTTP: pages with password fields or payment card number fields, pages with any input fields at all, pages loaded in private/incognito

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2018-03-13 Thread Matthew Paul Thomas
** Description changed: - 1. Go to . + 1. Go to . 2. Follow the most obvious route to download the recommended version of Ubuntu for PC. What happens: You end up downloading Ubuntu over HTTP. What should happen: The download is over

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2018-03-11 Thread Thomas Mayer
@sabdfl In 2018, I would not download ubuntu in Turkey and Egypt. https://www.bleepingcomputer.com/news/security/turkish-isp-swapped- downloads-of-popular-software-with-spyware-infected-apps/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2017-09-29 Thread Chad Miller
Ubuntu security is still based on Debian-Developers' complacency. A DD can check the image integrity because he visited a Debian keysigning party and has the GPG web of trust to know the image signing keys are good. That's why it's okay to have instructions and validation text in an insecure

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2017-09-29 Thread Chad Miller
I'm sorry. I'm frustrated that it's possible at all to be uncertain about the provenance of the root of your trust of a machine. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1359836 Title: Ubuntu

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2017-09-29 Thread Thomas Mayer
@seth-arnold. https://tutorials.ubuntu.com/tutorial/tutorial-how-to-verify- ubuntu?backURL=%2F#1 takes me to http://releases.ubuntu.com/16.04/ How stupid is that? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2017-09-29 Thread Seth Arnold
Clicking The Obvious things from https://www.ubuntu.com to get a download leads to: https://www.ubuntu.com/download/desktop/thank- you?country=US=16.04.3=amd64 which has an https link to https://tutorials.ubuntu.com/tutorial /tutorial-how-to-verify-ubuntu If you trust the CA system far enough,

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2017-09-29 Thread F R
We have have a serious problem with the abuse of our networks by both state and civilian actors. Cyberwarfare and psyops is a big part of the massive war campaign in the USA. It's really a serious shame that the main install repository from the most popular distribution for machine learning (it

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2016-02-21 Thread Matthew Paul Thomas
This attack is now much less theoretical. Yesterday, someone really did backdoor the ISOs for a Linux OS, specifically Linux Mint, and also altered its Web site to point to the backdoored ISOs.

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2016-01-24 Thread Matthew Paul Thomas
** Description changed: 1. Go to . 2. Follow the most obvious route to download the recommended version of Ubuntu for PC. What happens: You end up downloading Ubuntu over HTTP. What should happen: The download is over HTTPS. An attacker with sufficient

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2016-01-22 Thread Matthew Paul Thomas
Of all the weird and wonderful excuses I've seen for Web sites and downloads being insecure, I don't think I've ever seen someone claim that using TLS "opens us up to the TLS/SSL server and client side vulnerabilities". Opens us up compared to what, exactly? If you mean that an attacker could take

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2016-01-21 Thread Dimitri John Ledkov
After downloading the ISO image one should verify 1) checksums 2) GPG signatures on those checksums These are available from http://releases.ubuntu.com/ e.g. For trusty http://releases.ubuntu.com/trusty/SHA256SUMS http://releases.ubuntu.com/trusty/SHA256SUMS.gpg And the keys used to sign these,

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2014-09-01 Thread Launchpad Bug Tracker
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: ubuntu Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1359836 Title: Ubuntu ISOs

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2014-08-22 Thread Matthew Paul Thomas
So, ubuntu-website-content wasn't the right project. ** Project changed: ubuntu-website-content = ubuntu ** Changed in: ubuntu Status: Won't Fix = New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2014-08-21 Thread Ubuntu Foundations Team Bug Bot
Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people

[Bug 1359836] Re: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS

2014-08-21 Thread Jamie Strandboge
I'm not sure if ubuntu-website-content is the right project-- feel free to reassign. ** Also affects: ubuntu-website-content Importance: Undecided Status: New ** No longer affects: ubuntu -- You received this bug notification because you are a member of Ubuntu Bugs, which is