1

Most major Linux distributions, such as Debian, Ubuntu, and Centos, serve their ISO files over unencrypted HTTP or FTP. They don't even provide an option to download using TLS, even when the rest of their website uses it. At least some distributions, such as Ubuntu, also use unencrypted HTTP to serve the GPG key files that people are supposed to use to check the ISOs after downloading.

This seems like a huge security risk, because an attacker could easily substitute their own compromised ISO files for the real ones, and the same thing for GPG keys.

I'm sure the Linux distributions know about this, so they must not think it's a problem. Why not? Is there some workaround for users to ensure that the files they download are legitimate?

gesgsklw
  • 11
  • 1
  • 5
    Please detail (inside the question and not a comment) how this questions differs from [Where to download OpenBSD release ISO's over HTTPS?](http://security.stackexchange.com/questions/4152/where-to-download-openbsd-release-isos-over-https) or [Why aren't application downloads routinely done over HTTPS?](http://security.stackexchange.com/questions/18853/why-arent-application-downloads-routinely-done-over-https). Otherwise I would suggest to close it as a duplicate. – Steffen Ullrich Nov 04 '16 at 01:33
  • Not all are like this: https://mirrors.kernel.org/ and with many you can visit their https pages, and then collect the key and/or hash, and then verify it when you download it. – Mark Buffalo Nov 04 '16 at 05:25

0 Answers0