Security BUG - UbuntuHashes doesn't contains SHA256!! WHY?
Nick Edwards
nick.z.edwards at gmail.com
Fri Jun 3 00:09:54 UTC 2011
On Tue, May 31, 2011 at 3:48 PM, lancebaynes87 <lancebaynes87 at zoho.com>wrote:
> Great.. so there's
>
> ***___NO WAY___***
>
> that I (a regular little user) could securely check that the downloaded
> Ubuntu installer ISO is really the ISO provided by Ubuntu.
>
> WHY?
>
>
I don't know where you got your idea about security but it is severely
flawed.
It makes no difference if the checksum was served by http, https, ftp, or
dcc via IRC.
md5sum might be weaker than sha256 (about the only thing you got right) but,
they are not used for security, they used for validation, if you want
security use GPG, and your understanding of how gpg works is flawed as well,
since the gpg file is not the private key, so they can do whatever they want
with it, it will fail if its altered in any way.
https only means it cant be sniffed in transit, whoopie doo... if your
server is hacked, they could put a false file there and you're just as
screwed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20110603/ca1e19d1/attachment.html>
More information about the ubuntu-users
mailing list