Re: Fwd: Fwd: question regarding verification of a debian installation iso

To: debian-security@lists.debian.org
Subject: Re: Fwd: Fwd: question regarding verification of a debian installation iso
From: Naja Melan <najamelan@gmail.com>
Date: Mon, 3 Jan 2011 03:42:42 +0100
Message-id: <[🔎] AANLkTi=x+48QL66P+GdcGNOhNx4=k4=NTuHzk5x8OK7w@mail.gmail.com>
In-reply-to: <[🔎] 20110103013453.GA21471@roeckx.be>
References: <[🔎] AANLkTinAq9XQe5YGwZYS-_fqKK2+cH0Tg87xkkufFst=@mail.gmail.com> <[🔎] 1294000789.8582.97.camel@sorbet.thuis.net> <AANLkTi=LrcBr3HY+hP07Uke_7crs1G_xJYP20H6afpVQ@mail.gmail.com> <[🔎] AANLkTi=m3f52RLswOOWBgjLQUc7JwDm-aY+ejRk3gBn9@mail.gmail.com> <4D20F8B7.4060909@fastmail.fm> <AANLkTim+5r7ArchTvvNg9jcntwXh=UMTG3F2H7d6nLzr@mail.gmail.com> <[🔎] AANLkTi=7czvNzF_a8E2ibw=9TXw_O+gj5neFoFkMyGiy@mail.gmail.com> <[🔎] 20110103013453.GA21471@roeckx.be>

Thanks for pointing out those servers. On a practical level I don't really see how it helps though, because I don't see a realistic way of getting the certificate of SPI onto my computer.

You've downloaded a bunch of certificates that came with your web browser. Why do you trust them?

As I pointed out above there are many problems associated with https. Trusting the root certificates is one of those. Still the level of trust I have in them comes from:

a) getting them shipped to me in a "secure" or at least "somewhat secure" way (which is the whole point of this thread, remember)
b) some trust in the certification authorities and everyone that is supposed to check them, like auditors and browser/OS developers
c) some trust in developers that store and distribute them, like browser/OS developers to do that in a safe way

Admitted that is not much trust, but it is definitely more than plain http. Especially considering that an attacker must have it all setup beforehand. Downloading a linux distro does not leave sensitive traces afterwards. It's all about the moment of download.

Currently I'm installing fedora, because it seems that that is as good as it gets with https. Their site is very neat and informative in verifying their downloads, it all comes over certified https even extra tools like the liveusb-creator. This gives me at least a higher sense of trust than the current debian situation.

greetz
naja melan

Reply to:

Follow-Ups:
- Re: Fwd: Fwd: question regarding verification of a debian installation iso
  - From: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>
- Re: Fwd: Fwd: question regarding verification of a debian installation iso
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: Fwd: Fwd: question regarding verification of a debian installation iso
  - From: Paul Hosking <phosking@employees.org>

References:
- question regarding verification of a debian installation iso
  - From: Naja Melan <najamelan@gmail.com>
- Re: question regarding verification of a debian installation iso
  - From: Arthur de Jong <adejong@debian.org>
- Fwd: question regarding verification of a debian installation iso
  - From: Naja Melan <najamelan@gmail.com>
- Fwd: Fwd: question regarding verification of a debian installation iso
  - From: Naja Melan <najamelan@gmail.com>
- Re: Fwd: Fwd: question regarding verification of a debian installation iso
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Re: Fwd: Fwd: question regarding verification of a debian installation iso
Next by Date: Re: Fwd: Fwd: question regarding verification of a debian installation iso
Previous by thread: Re: Fwd: Fwd: question regarding verification of a debian installation iso
Next by thread: Re: Fwd: Fwd: question regarding verification of a debian installation iso
Index(es):
- Date
- Thread