Adam Williamson writes:
On Sun, 2016-02-21 at 23:08 +0100, Jens Lody wrote: > Am Sun, 21 Feb 2016 21:35:32 +0000 > schrieb Tom Hughes <tom@xxxxxxxxxx>: > > > > > On 21/02/16 21:31, Jens Lody wrote: > > > > > > > > I don't see any hint about verification, if I go to the > > > download-site from germany: > > > > > > https://getfedora.org/de_CH/workstation/download/ > > > > > > There's just a button, that directly downloads the iso. > > You must have javascript disabled for getfedora.org then - if it was > > enabled you would get the screen Kevin mentioned. > > > > Tom > > > I also thought that this can be the cause, so I explicitely enabled it > before I checked the site. > > But even if a user does not enable javascript, the site should at least > show a hint about verification. This is all fairly besides the point, however, if we're talking about the scenario that affected Mint. The attacker in that case was able to modify the download pages themselves. It doesn't matter if the pristine pages feature a giant pink unicorn holding a banner that says "VERIFY YOUR DOWNLOAD!" in flashing 144pt Comic Sans - if the attacker can modify the download pages, they just remove all the stuff about verifying the download. Or, better, change the checksums so they match...
Yeah, not much can be done about total 0wnage. But, that shouldn't be a reason to avoid doing something fairly simple that would mitigate partial 0wnage. Making sure that instructions for verifying the hashes of downloaded ISO images are easily and readily visible would be a bare minimum, I'd think. I'm sure that the ISOs are not stored on the web servers themselves.
Attachment:
pgpkKHAJXDurn.pgp
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
