Security BUG - UbuntuHashes doesn't contains SHA256!! WHY?

Marc Deslauriers marcdeslauriers at videotron.ca
Thu Jun 2 22:11:37 UTC 2011 

Hi,

On Mon, 2011-05-30 at 22:48 -0700, lancebaynes87 wrote:
> Great.. so there's
> 
> 
> ***___NO WAY___***
> 
> 
> that I (a regular little user) could securely check that the
> downloaded Ubuntu installer ISO is really the ISO provided by Ubuntu.
> 
> 
> WHY?
> 
> 
> It's great that
> https://help.ubuntu.com/community/UbuntuHashes
> provides MD5 checksums over HTTPS, but theres a problem with MD5 -
> it't not trustable see link:
> https://secure.wikimedia.org/wikipedia/en/wiki/MD5#Security
> 
> It would be a wise thing to use SHA256 instead of MD5:
> https://secure.wikimedia.org/wikipedia/en/wiki/SHA256

That's not an official list of hashes. The official hashes are located
in the same directory as the downloads:

http://releases.ubuntu.com/natty/

If you prefer, use the SHA256SUMS file. Also make sure to verify the
signature of the SHA256SUMS file by using the SHA256SUMS.gpg file.

> 
> because there are already SHA256SUMS in the mirror servers, e.g.:
> http://ftp.freepark.org/pub/CDROM-Images/ubuntu//11.04/SHA256SUMS
> 
> p.s.: the problem serving SHA256SUMs over HTTP that it gives false
> sense of security.
> 
> It MUST be served over HTTPS to be trustable.

No. You must verify the signature using the SHA256SUMS.gpg file. http or
https has nothing to do with this.

> 
> Please update the /UbuntuHashes site from MD5 hashes to SHA256 hashes
> 
> 
> https://bugs.launchpad.net/ubuntu/+source/ubuntu-docs/+bug/789688
> 
> 

The page isn't meant to verify the security of the downloads. It's just
meant to verify your download isn't corrupted. If you want to verify the
security, you must check the gpg signatures.


> p.s.: and NO...GPG is not the solution... why? because: 
> https://encrypted.google.com/search?btnG=g&hl=en&num=50&source=hp&q=HTTP+Keyserver+Protocol&meta=
> IT'S NOT USING HTTPS!! (when importing GPG key) so security = 0

You are supposed to look at the web of trust on the GPG key itself, not
base your decision on whether or not the key was on an https server.


> IT'S A BIG SECURITY HOLE, AND THERE'S NO EXPLANATION WHY DON'T THEY
> UPDATE THE /UbuntuHashes site

It's only a big security hole if you're not using it properly. Again,
the page is only meant for checking corrupted downloads, not malicious
images. If you want to check for malicious images, you need to validate
the gpg signatures.


-- 
Marc Deslauriers
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/

More information about the ubuntu-users mailing list