Re: Fwd: Fwd: question regarding verification of a debian installation iso
On Dom, 02 Jan 2011, Naja Melan wrote:
1. Probably the safest thing to do is buy a mac or windows cd in the shop,
although there is (for me) no way of knowing how safe that really is.
Do you trust the store? How do you know the store installed the
pristine copy of Windows or Mac OS, and not a modified version?
2. Some linux distro's I see now do have certified https, like fedora which
puts gpg fingerprints (SHA1) of their public keys on their certified
website.
3. Other distros have md5 hashes over certified https, like ubuntu.
(virtually a shared fourth place with debian)
Do you trust Verisign or the issuer of the http certificate?
4. debian, which for a general user which has not been able to in a safe way
obtain a chain of trust to the Debian CD signing key (read: next to
everyone), it boils down to, well, plain http!
Whenever I need to install a secure system, or advise someone on how to do
that, I will have to pick something from that list or avoid using a computer
altogether. MD5 is truly ridiculous, so I won't go into it (google search
will).
It's fine for detecting random transmission errors or errors in
burning to CD/DVD media. For security purposes, yes, it can be hacked.
Https has like I said serious drawbacks that are unfortunately not
known by the people using it, and unfortunately are not turned up easily by
a web search. I would avoid having to go into details about it unless there
is a true genuine need for a security review of https (amongst other reasons
because I don't consider myself an expert).
In previous paragraphs you seemed to imply that it is good enough,
when you mentioned other distros that use https.
--
There's a fine line between courage and foolishness. Too bad it's not
a fence.
Eduardo M KALINOWSKI
eduardo@kalinowski.com.br
Reply to: