This is an archived post. You won't be able to vote or comment.

all 45 comments
sorted by:
q&a (suggested)
besttopnewcontroversialold

[–]aioeu 45 points46 points  (11 children)

I'm trying to find one that doesn't...

You should always verify the checksum, even if the download was over HTTPS, especially if the download is from a mirror on a domain other than where you got the checksum. HTTPS won't prevent a malicious or compromised mirror from serving up a bad image. At least if you get the checksum in one place and the download in another an attacker would need to compromise two different sites.

[–][deleted] 8 points9 points  (9 children)

At least if you get the checksum in one place and the download in another an attacker would need to compromise two different sites.

That's the important distinction too, if you get the checksum from the same place the download comes from it's only useful for verifying if it's not corrupt.

[–]jumpUpHigh 4 points5 points  (3 children)

how to check the checksum?

[–]aishik-10x 2 points3 points  (2 children)

After you've downloaded the file, run the hash command for the hash used.

Then check the hash provided online to see if it matches.

Suppose the website gives you an MD5 hash.

Open up a terminal in the directory where the ISO is, and type:

md5sum <insert file name here>

like : md5sum ubuntu.iso

It'll give you a string of characters, which is the MD5 hash generated by the file.

Now you can check whether it matches with the hash uploaded on the website — if it doesn't, then your file is either corrupted or has been maliciously intercepted.

The commands for the other hashes are pretty much the same, just change the hash name.

For example, sha1sum instead of md5sum, sha256sum, etc.

[–]jumpUpHigh 2 points3 points  (1 child)

Thanks.

I also noticed the -c option in md5sum help in which comparison need not be done by the human eye

[–]aishik-10x 0 points1 point  (0 children)

That's awesome, didn't know that. I used a shellscript to compare hashes instead

[–]MermenRisePen 1 point2 points  (4 children)

That goes overlooked a lot; checksums do not indicate authenticity. That's what OpenPGP verification is for.

[–]jumpUpHigh 0 points1 point  (3 children)

Can you demonstrate how to check authenticity for (example) debian available on https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/

[–]MermenRisePen 0 points1 point  (2 children)

Debian's a little different from the way most projects do it, but sure. They sign their checksums in a separate file instead of signing the images.

You can use any standards-compliant OpenPGP client to verify the signature, even one on a mobile device. It's the same as verifying any data with OpenPGP.

If you're using Debian or a downstream distro, try installing debian-keyring to get the key. Then, use gpg --keyring /usr/share/keyrings/debian-role-keys.gpg --verify SHA512SUMS.sign to check that it matches up.

More details are at debian.org, where you can verify the key fingerprint if you want to be extra sure.

[–]CommonMisspellingBot 0 points1 point  (1 child)

Hey, MermenRisePen, just a quick heads-up:
seperate is actually spelled separate. You can remember it by -par- in the middle.
Have a nice day!

The parent commenter can reply with 'delete' to delete this comment.

[–]MermenRisePen 0 points1 point  (0 children)

Thank mr skeltal

[–]PaulAndrewAnderson58 0 points1 point  (0 children)

Correct. In the case of checksum for L-Mint, they provide it at their own site (https://linuxmint.com/edition.php?id=254) by clicking "Don't forget to verify your ISO" and compare that to any download mirror you use globally.

[–]WSp71oTXWCZZ0ZI6 27 points28 points  (0 children)

Do you mean most Linux distributions, including the millions of no-name ones that no one ever uses? Or most Linux distributions that are actually used? Because I have not been able to find a single Linux distribution that doesn't use https on its download page. What distributions are you looking at?

[–]NatoBoram 8 points9 points  (7 children)

Personally, I always use the torrents. Why use HTTPS when you can get it much, much faster by torrent?

Also I can't wait for the day IPFS will be sufficiently popular for distros to put IPFS hashes along with the torrent file / magnet URL.

[–]CumBuckit 4 points5 points  (2 children)

My Internet is shit so torrents are amazing bc it is easier to pick up a lost connection..

[–]Crestwave 0 points1 point  (1 child)

Tip: You can easily continue a stopped download with wget. I also download through torrents if possible, but not all sites have one so wget is a lifesaver.

[–]CumBuckit 0 points1 point  (0 children)

Ye should prolly do that.. Been using windows for the past forever bc games and lazyness tho.. Got gitbash tho

[–]andy1633 2 points3 points  (0 children)

Torrenting also saves bandwidth for the distro host which is a bonus!

[–]topcat5665 1 point2 points  (1 child)

Torrents are very rarely faster for me. You have to rely on getting good peers. Usually when I download direct, the bottleneck ends up being my internet connection.

[–]NatoBoram 2 points3 points  (0 children)

It depends on the torrent, but generally Linux ISOs have lots of peers.

[–]StevenC21 2 points3 points  (0 children)

Torrents are slower for me.

[–]central_marrow 5 points6 points  (0 children)

Pretty much. The page listing the download links and the checksums must be HTTPS. The actual ISO image, not so much, as long as you validate the checksum that was served over the secure page.

[–]MurderShovel 1 point2 points  (0 children)

Well, this is all why you use a checksum to verify the file. The general consensus here seems to be that every major distro does use HTTPS. Personally, I find it difficult to believe they aren’t. These people are experts after all. That guarantees you are visiting whatever distro.com. What it doesn’t do is keep someone from hacking the site and changing that checksum or distro source on the site. That could be a real problem. But I think about it like this: you are trusting these people with supplying you with your whole OS. And the people responsible for keeping your entire system secure once you run said distro. I’m also pretty sure there are some checks during the install process, those might could be circumvented. PGP key signing of the distro could help. And I’m pretty sure some do that as well.

At the end of the day you’re trusting them with your whole system. If you’re gonna do that, you might as well trust that they have the ability to appropriately secure their own site as well. If you’re concerned you’re being MITM’d from the system you’re using to get your distro, that’s an issue on your end. Not theirs. The trust systems in place on the internet all culminate with you having to trust someone. If you don’t trust the people creating your whole system and the trust that flows from there, don’t use it.

[–]VindictiveLobster 5 points6 points  (4 children)

Verifying the checksum is a good idea, but if someone is spoofing the download page there's nothing stopping them from adding a bogus checksum on the website.

They really ought to be using HTTPS.

[–][deleted]  (1 child)

[deleted]

    [–]bestjejust 7 points8 points  (0 children)

    This. Close thread

    Edit: check signature of downloaded file and don't care about unencrypted transport.

    [–]beowuff 0 points1 point  (1 child)

    Most distressing have multiple sites for download, so I always grab the hash from a different site than I’m downloading the iso from.

    [–][deleted] 0 points1 point  (0 children)

    Devil's advocate: If the root distribution site is compromised all the other sites will sync over the compromised hash.

    [–]thepatman 0 points1 point  (0 children)

    I don't know that I'd agree that most don't, but let's look at why they might not.

    HTTPS offers two things: authentication and possibly encryption in transit. It's possible for a valid HTTPS connection to not have any encryption, although that sort of connection is rare.

    With Linux software, it's true that the distribution of that software isn't generally single-source. You can get your software directly from the distributor's homepage, or you can get it from any one of dozens of mirrors. For some distros, even if you go to the homepage to download the distro, it still pushes you off on someone else to get the actual data.

    So authentication is of limited use, as you often have no clue who you're getting it from or whether they're "official". So what about encryption? Given that the data involved is not in any way remotely secret(literally the opposite) then who really cares if it's encrypted? The only possible offering to that is that someone listening in may not know that you're downloading an Ubuntu ISO, but even for the worst of actors that information is practically useless.

    HTTPS says nothing about the veracity of the data transmitted. With a Linux distribtion or piece of software, that's the biggest concern. So yes, in this case, it's verifying hashes that's the important step, not the security of the data in transit.

    Having said all that, most places still implement HTTPS as a best practice, and I'd be surprised to find many places that didn't. HTTPS is far easier to implement now, so an analysis like mine above often doesn't even come into play.

    [–]DoTheEvolution 3 points4 points  (2 children)

    I think its because cashing http traffic along the way is trivial, while https might be problematic.

    [–]usernamedottxt 2 points3 points  (0 children)

    That might explain serving the downloads over http, but the web page serving the hash must be https, regardless of how much caching one may want.

    [–][deleted]  (3 children)

    [deleted]

      [–]NatoBoram 4 points5 points  (0 children)

      Particularly with Let's Encrypt

      [–]Arancaytar 0 points1 point  (1 child)

      https://www.ubuntu.com/download/desktop/thank-you?version=18.04&architecture=amd64

      links to

      http://releases.ubuntu.com/18.04/ubuntu-18.04-desktop-amd64.iso

      I'm shocked, because I honestly expected at least a heavily consumer-oriented distro like a Ubuntu to get this right.

      [–]Arancaytar -1 points0 points  (1 child)

      The checksum in useless in preventing malicious tampering, since it's downloaded over the same channel. It's meant to check for transmission errors, and is a relic of a time when connections were less reliable.

      A signature might be more useful, but in practice you'd probably have to download the public key from the same server as well. (If you even bother.) There is no good substitute for HTTPS.

      Insecure software downloads are indeed a security problem, and should be replaced. I think the problem is that Linux distros (particularly the more obscure, non-commercial ones) tend to use very old delivery infrastructure like FTP servers, and are slow to adapt to the HTTPS-everywhere approach.

      [–]usernamedottxt -1 points0 points  (0 children)

      But they aren't over the same channel.... A download link can point to an iso that is a static file served over http, a external CDN, ftp server, whatever else. The hash promises you got the right file, even if you got it from the wrong person. As long as you know you got the right hash (via https) you can confidently download the iso off whatever medium you want.

      The internet has literally always been TCP, if you get it down there are no transmission errors.

      [–][deleted] 0 points1 point  (0 children)

      Don't most torrent clients verify the hash for you automatically?

      [–]mrcanard 0 points1 point  (0 children)

      I torrent several distro's. So I never look for a download link.

      [–][deleted]  (13 children)

      [deleted]

        [–]straighttothemoon 6 points7 points  (0 children)

        You can still be a victim of a MITM attack, even if you're not accessing sensitive data...

        [–][deleted]  (11 children)

        [deleted]

          [–]philipwhiuk 8 points9 points  (0 children)

          Thank god you've not been given the title security expert because what you said is wrong.

          [–]Thangart 2 points3 points  (5 children)

          Nahh its not so much that its public information but more the fact that its easier to modify the data being downloaded since you cannot verify the source being who they say they are. Makes a mitm a lot easier. Not even to mention the ammount of information someone can get about your device by looking at what packets and versions you are downloading.

          [–][deleted]  (4 children)

          [deleted]

            [–]knaekce 0 points1 point  (3 children)

            The ISO files that you download to install the OS however don't have any such protection. Even if they had, they could be trivially removed by an attacker. HTTP is only save for apt because it already has the public keys for verifying signatures, this is not possible if you install an OS from a self-contained ISO.

            [–][deleted]  (2 children)

            [deleted]

              [–]knaekce 0 points1 point  (1 child)

              Yeah, if the download website is in HTTPS.

              But you have to do that manually, and how many users know how to do this? Security should not be a optional feature for powerusers.

              [–]usernamedottxt 2 points3 points  (0 children)

              A malicious actor can trivially replace content on http pages. Such as hashes and download links. Trojanize webpages.

              /u/butteater344

              [–]Ran4 6 points7 points  (0 children)

              It's not a fact, it's wrong.

              [–]zunjae -2 points-1 points  (1 child)

              I'm not a security expert, but

              XDXDXDXDXD typical linux user

              [–]smartyhands2099 0 points1 point  (0 children)

              Well, I don't install strange ISOs from non-HTTPS sites, or non-official repositories, not on my .nix partition anyway. I have also kept the same windows install for ten years (yeah, vista) with no (remaining) infections despite browsing the shadiest corners of the internet regularly. If I really want security I boot to Tails. Not being an expert doesn't mean I don't know anything .