Date: Mon, 3 Mar 2014 19:31:52 +0200 From: "Reko Turja" <reko.turja@liukuma.net> To: <freebsd-questions@freebsd.org> Subject: Re: Cryptografically signed ISO images Message-ID: <7CE839B022604851BDB431F1AD86AD37@Rivendell> In-Reply-To: <20140303164050.0482c1e6@gumby.homeunix.com> References: <20140302172759.GA4728@hp-netbook.local> <20140303152943.GA5696@hp-netbook.local> <46383.128.135.70.2.1393861805.squirrel@cosmo.uchicago.edu> <20140303160218.072db3fe@gumby.homeunix.com> <39523.128.135.70.2.1393863706.squirrel@cosmo.uchicago.edu> <20140303164050.0482c1e6@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----Original Message----- From: RW On Mon, 3 Mar 2014 10:21:46 -0600 (CST) Valeri Galtsev wrote: >> Yes, but: if you verified the certificate of https host, you can be >> sure that ftp on the same IP address is owned by the same people. > The IP addresses of www.freebsd.org and ftp.freebsd.org are > different, but even if they weren't that wouldn't protect against > man-in-the-middle attacks. Hmm, grab the sha256 checksum of iso image from https://freebsd.org -address. Compare the said checksum to the downloaded image. The certainty that the image isn't tampered with should be strong enough. Of course, FreeBSD org CA and certificates could be compromised - or the access to web server - but so could be the PGP keys used for signing. Lot's of extra hassle IMO with no real extra security benefit. -Reko
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7CE839B022604851BDB431F1AD86AD37>