After downloading the ISO image one should verify 1) checksums 2) GPG signatures on those checksums
These are available from http://releases.ubuntu.com/ e.g. For trusty http://releases.ubuntu.com/trusty/SHA256SUMS http://releases.ubuntu.com/trusty/SHA256SUMS.gpg And the keys used to sign these, are in the global strongly connected GnuPG web of trust set. And one can establish a trust path to said key, via real humans. (Most ubuntu and debian developers). However, I do take that this is slightly obscure. However, we will not rely on TLS (SSL) as that opens us up to all the TLS/SSL server and client side vulnerabilities as well as rogue CA, whilst limiting our ability to utilise CDN, mirror network and country specific mirrors. An easier way to grab and validate checksums and GPG signatures would be nice. Imho web browsers should be able to find and validate those. ** Changed in: ubuntu Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1359836 Title: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+bug/1359836/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs