[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to download over https

On Thu, Jun 16, 2016 at 10:34:01PM +1000, matthew wrote:

I'm trying to download an iso for installation.
The image I want is here:
http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/
8.5.0-live+nonfree/amd64/iso-hybrid/

In particular I'm wanting debian-live-8.5.0-amd64-cinnamon-desktop+nonfree.iso

However that's a http link. It I add an 's' into that url to make it https, I
get an error saying the resource is unreachable. This is true of both the
directory in the browser, the .iso in the browser, and the .iso with wget.

There are MD5 and SHA sums in that same directory. However I can only access
those checksums through unencrypted connections. Therefore they cannot be used
to check against 3rd party tampering. (Since someone who has the ability to
tamper with the .iso can also tamper with the .txt files.)

Am I supposed to be able to use https? If not, how can I download debian iso
files securely?
I don't know if c.d.o is supposed to support HTTPS, but as a reference, I can't get to port 443 here, either.
As an alternative, you can check the GPG signature on the MD5SUMS file. The idea goes that, while the ISO itself isn't signed, there are hashsum files for the ISOs and these hashsum files are then signed by the Debian CD signing key.
According to my reading of https://www.debian.org/CD/verify, those keys are: 
pub   4096R/64E6EA7D 2009-10-03
     Key fingerprint = 1046 0DAD 7616 5AD8 1FBC  0CE9 9880 21A9 64E6 EA7D
uid                  Debian CD signing key <debian-cd@lists.debian.org>

pub   4096R/6294BE9B 2011-01-05
     Key fingerprint = DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
uid                  Debian CD signing key <debian-cd@lists.debian.org>
sub   4096R/11CD9819 2011-01-05

pub   4096R/09EA8AC3 2014-04-15
     Key fingerprint = F41D 3034 2F35 4669 5F65  C669 4246 8F40 09EA 8AC3
uid                  Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org>
sub   4096R/6BD05CFB 2014-04-15

You can easily use GnuPG, PGP or similar to verify that the signature on the hashsum files is intact. This assures that the hashsum file has not been tampered with since it was signed.

Now, by itself, that provides little benefit over and above the hashsum file itself. You've proved that the ISO and the hashsum file haven't been tampered with, but you haven't verified that the signature wasn't ALSO produced by the attacker.

This is where trust comes in. If you trust me, you can confirm that the key used to sign the hashsums matches what I've written above. If you're more paranoid, though, you will want to use the Web of Trust. Find someone on the Debian Keyring, meet them (preferably in person) and authenticate their key. With luck, either they've signed the CD key or they trust someone who has. Once you have a path between someone you trust and the CD key, then you have proven that the ISO was produced by the correct person.


--
For more information, please reread.

Attachment: signature.asc
Description: PGP signature

Reply to: