Re: How to download over https

To: debian-user@lists.debian.org
Subject: Re: How to download over https
From: Dan Purgert <dan@djph.net>
Date: Thu, 16 Jun 2016 16:18:19 -0000 (UTC)
Message-id: <[🔎] slrnnm5ka8.6b8.dan@xps-linux.djph.net>
References: <[🔎] 7927102.VQkD3l6WS7@tecra>

matthew wrote:
> [snip]
>
> There are MD5 and SHA sums in that same directory. However I can only
> access those checksums through unencrypted connections. Therefore they
> cannot be used to check against 3rd party tampering. (Since someone
> who has the ability to tamper with the .iso can also tamper with the
> .txt files.)

I don't think you quite get how "HTTPS" works, or rather what "HTTPS"
implies. All it means is that the transport channel itself (in this
case, HTTP) is secured from someone eavesdropping on the connection
(and, by extension, it's not being modified on the fly), and that the
server at the other end is what it says it is (i.e. a cert for
"https://www.example.com"; will cause your browser to error if you get
redirected to "https://honeypot.example.com";).

It DOES NOT protect you from a malicious party who has "tampered" with
the iso image itself, and is presenting that tampered file as the
original (the way to verify THAT information is with checksums and
digital signatures).

For example, let's say you ask for a link to "some_package.deb" (because
it's old / unmaintained -- like Adobe Reader -- and you need to use it
because some Windows fool sent you something that relies on that package
to work).  Without a checksum or signature on the file, even if I send
you a https link (e.g. "https://example.com/some_package.deb";), you
have no assurances that the package is ~really~ the one you're after (as
opposed to say, a rootkit).

So, the fact that HTTPS doesn't ~actually~ provide you with any security
when a "malicious party" has root accesss to the webserver, AND that it
adds overhead to the transmission (which, for an install ISO is pretty
big already), it's preferable to provide the files in the manner that
they have been (i.e. HTTP with detached signatures / checksums).  Note
too that the checksum information and digital signature source SHOULD be
provided in an out-of-band (and secure) manner so as to create a strong
web of trust.  

Given that "debian" is the "well-trusted" party in this instance, their
providing of both 

 - their public signing key, AND
 - the *.iso MD5 and/or SHA checksum(s) 

on a HTTPS-secured webpage will suffice the conditions of "creating
trust" for most people.

Further strengthening of this trust can be had by the public PGP key
being itself signed by well-known and well-trusted individuals in the
community (even if they're only 'marginally' trusted by you, GPG
defaults to '3 marginals = okay' for trust purposes -- although you can
still verify a signature even without "trusting" the key).

>
> Am I supposed to be able to use https? If not, how can I download
> debian iso files securely?

No. As explained, you don't need to "download" them securely, but rather
have a secure means to validate the data you get is the data you expect.

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O|

Reply to:

Follow-Ups:
- Re: How to download over https
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

References:
- How to download over https
  - From: matthew <matthew@mdavis.xyz>

Prev by Date: Re: Mailing-list configuration
Next by Date: open - resource temporarily unavailable
Previous by thread: Re: How to download over https
Next by thread: Re: How to download over https
Index(es):
- Date
- Thread