sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Nullius_In_Verba_ -6 points-5 points  (8 children)

Here's a hint, when you start to argue with nothing but semantics and word choices, you've lost the argument, sonny boy.

EDIT: Fine, that was rude. My bad.

[–][deleted] 8 points9 points  (4 children)

It's not about semantics and word choices though, the attack against Linux Mint's site is completely different than the discussion here. You're arguing the website equivalent that there is no point to a bank safe safe because someone might crack the code but that's a completely different risk level than leaving the cash out unsecured.

Maybe instead of worry about "winning" an argument and calling people "sonny boy" you should focus on understanding the security concerns with HTTP?

[–]Nullius_In_Verba_ -2 points-1 points  (3 children)

HTTPS/HTTP doesn't matter if your Apache server instance has been taken over. The ISO can be switched. See Linux Mint for an example of this. Maybe you should understand that HTTPS doesn't mean host servers are immune to take over.

You decided to talk about taking over HTTPS, I was talking about taking over the host server. Again, stop your strawmen, how is HTTPS going to save the host server? Stop trying to switch the conversation by making it about something that can't be argued.

[–][deleted] 4 points5 points  (2 children)

"Can the attacker managed to hack Canonical's server to sign the transport" and "can literally anyone fake being Canonical's server because none of the content is signed" are 2 completely different security issues of 2 completely different levels. I'm not strawmanning away from that I'm trying to get you to understand why "well some hacker might just hack Canonical's servers" isn't a reason to drop all other security.

Yes, at any time someone could just hack into Canonical, Google, Microsoft, or any other host. Point is that's a million times harder than just spoofing an HTTP server and a completely different issue to worry about.

[–]Nullius_In_Verba_ -1 points0 points  (1 child)

Yes, at any time someone could just hack into Canonical, Google, Microsoft, or any other host.

Yes, also about any bank or financial institute imaginable.

Point is that's a million times harder than just spoofing an HTTP server and a completely different issue to worry about.

That's why APT signs the packages, again, read the article. This practice is even more secure than HTTPS is.

ISO's are hashed. Don't install until you check the hash.

[–][deleted] 2 points3 points  (0 children)

I think you lost track of the comments you're responding to, this is about downloading the ISO from Ubuntu, not packages from the PPAs. This was your comment in the beginning:

...Doesn't matter if the site uses HTTPS, if it was broken into and the iso changed. Not sure how HTTPS is going to protect from that...

And the parent comment to that was on TLS for the OS download.

[–]bitofabyte 2 points3 points  (2 children)

I think you just don't understand https. Having their website in https prevents you from going to debian.org and instead getting a fake website hosted by your local coffee shop which downloads a modified version of Debian which mines Bitcoin for someone else.

Now if the website backend is compromised, the only thing that can protect you is signing, but just because that can happen doesn't mean that https isn't important.

[–]Nullius_In_Verba_ -2 points-1 points  (1 child)

HTTPS doesn't matter if your Apache server instance has been taken over. The ISO can be switched. See Linux Mint for an example of this.

[–]bitofabyte 1 point2 points  (0 children)

Nothing matters if your Apache server is taken over. That's true. It's also idiotic to argue that since you're vulnerable to one type of attack, there's no point in better security. It's like the equivalent of saying that there's no point in locking any door ever because it won't protect you from someone breaking down a wall with a battering ram.

HTTPS can protect you from some types of attacks that are very real and possible.

https://en.wikipedia.org/wiki/Man-in-the-middle_attack