Security BUG - UbuntuHashes doesn't contains SHA256!! WHY?
lancebaynes87
lancebaynes87 at zoho.com
Tue May 31 05:48:21 UTC 2011
Great.. so there's
***___NO WAY___***
that I (a regular little user) could securely check that the downloaded Ubuntu installer ISO is really the ISO provided by Ubuntu.
WHY?
It's great that
https://help.ubuntu.com/community/UbuntuHashes
provides MD5 checksums over HTTPS, but theres a problem with MD5 - it't not trustable see link:
https://secure.wikimedia.org/wikipedia/en/wiki/MD5#Security
It would be a wise thing to use SHA256 instead of MD5:
https://secure.wikimedia.org/wikipedia/en/wiki/SHA256
because there are already SHA256SUMS in the mirror servers, e.g.:
http://ftp.freepark.org/pub/CDROM-Images/ubuntu//11.04/SHA256SUMS
p.s.: the problem serving SHA256SUMs over HTTP that it gives false sense of security.
It MUST be served over HTTPS to be trustable.
Please update the /UbuntuHashes site from MD5 hashes to SHA256 hashes
https://bugs.launchpad.net/ubuntu/+source/ubuntu-docs/+bug/789688
Any opinions someone?
this is a laugh..
p.s.: and NO...GPG is not the solution... why? because:
https://encrypted.google.com/search?btnG=g&hl=en&num=50&source=hp&q=HTTP+Keyserver+Protocol&meta=
IT'S NOT USING HTTPS!! (when importing GPG key) so security = 0
THE SOLUTION WOULD ONLY TOOK 5 MINUTES!! WHY DOESN'T THEY FIX IT?? WHY??
IT'S A BIG SECURITY HOLE, AND THERE'S NO EXPLANATION WHY DON'T THEY UPDATE THE /UbuntuHashes site
Thank you for you're attention. have a nice day.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20110530/9b377ebf/attachment.html>
More information about the ubuntu-users
mailing list