From owner-freebsd-questions@FreeBSD.ORG Mon Mar 3 17:41:46 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 73E18209 for ; Mon, 3 Mar 2014 17:41:46 +0000 (UTC) Received: from www.liukuma.net (www.liukuma.net [77.86.213.15]) by mx1.freebsd.org (Postfix) with ESMTP id 22305341 for ; Mon, 3 Mar 2014 17:41:45 +0000 (UTC) Received: from www.liukuma.net (localhost [127.0.0.1]) by www.liukuma.net (Postfix) with ESMTP id 9F95D1CC99 for ; Mon, 3 Mar 2014 19:31:59 +0200 (EET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=liukuma.net; s=liukudkim; t=1393867919; bh=nsYt4HPW3HwmT1TtrKkL6JgzPjlcN4enyZZCH2ywRVc=; h=From:To:References:In-Reply-To:Subject:Date; b=Vjgis9g/m6s1qzk0iRgz5licH8UI2XRqhywIN7rDT89rWGwIGlaBaL3jQHMeKegEP c4Kv6pVxuYgnzIeA80vfKBJX9K/LKLbOW4NTKUpm5Nug99P/cLDZrsZ0HS2HJTm3DF MG0pMuQuaRv1+SQqIuSTkYjUaznAIiDIuaX8A9OQ= X-Virus-Scanned: amavisd-new at liukuma.net Received: from www.liukuma.net ([127.0.0.1]) by www.liukuma.net (www.liukuma.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id UuXIeEMu6KOp for ; Mon, 3 Mar 2014 19:31:54 +0200 (EET) Received: from Rivendell (dsl-kmibrasgw1-54f8d4-179.dhcp.inet.fi [84.248.212.179]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) (Authenticated sender: ignatz@www.liukuma.net) by www.liukuma.net (Postfix) with ESMTPSA id 7B96F1CC97 for ; Mon, 3 Mar 2014 19:31:54 +0200 (EET) Message-ID: <7CE839B022604851BDB431F1AD86AD37@Rivendell> From: "Reko Turja" To: References: <20140302172759.GA4728@hp-netbook.local> <20140303152943.GA5696@hp-netbook.local> <46383.128.135.70.2.1393861805.squirrel@cosmo.uchicago.edu> <20140303160218.072db3fe@gumby.homeunix.com> <39523.128.135.70.2.1393863706.squirrel@cosmo.uchicago.edu> <20140303164050.0482c1e6@gumby.homeunix.com> In-Reply-To: <20140303164050.0482c1e6@gumby.homeunix.com> Subject: Re: Cryptografically signed ISO images Date: Mon, 3 Mar 2014 19:31:52 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 15.4.3555.308 X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3555.308 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 17:41:46 -0000 -----Original Message----- From: RW On Mon, 3 Mar 2014 10:21:46 -0600 (CST) Valeri Galtsev wrote: >> Yes, but: if you verified the certificate of https host, you can be >> sure that ftp on the same IP address is owned by the same people. > The IP addresses of www.freebsd.org and ftp.freebsd.org are > different, but even if they weren't that wouldn't protect against > man-in-the-middle attacks. Hmm, grab the sha256 checksum of iso image from https://freebsd.org -address. Compare the said checksum to the downloaded image. The certainty that the image isn't tampered with should be strong enough. Of course, FreeBSD org CA and certificates could be compromised - or the access to web server - but so could be the PGP keys used for signing. Lot's of extra hassle IMO with no real extra security benefit. -Reko