From owner-freebsd-questions@FreeBSD.ORG Mon Mar 3 19:06:10 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CF35DC91 for ; Mon, 3 Mar 2014 19:06:10 +0000 (UTC) Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 6476AF47 for ; Mon, 3 Mar 2014 19:06:10 +0000 (UTC) Received: by mail-wg0-f46.google.com with SMTP id z12so3777209wgg.5 for ; Mon, 03 Mar 2014 11:06:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=v54W1eZyWoJoKbyErPmYybq+Mbtjkud7YKNquRrkbHU=; b=w4iDfo/ZRcn/59DucUohPgPB9Esl5TkwmqhyEXdxTtjHvvHvsom5qk8MzEvzODhSTj 7s5fc2XJw9PulK8K1861NZqyd/Vtb2ljucFlgWKeZOy/8VUXsiAU5EpdgeCRZkSn96JZ PTM+MaLs0YL7UgiAKqUiRLs/N5jNO7dj+7XDSh1VZ1ErfaFpkJZGrSy+bvs4zSgXrcRt d3f2glFhJUunVItkd8QZuM8oqzBUYsYbEloJiIIE4tjioRkSYQOqXg2W/wwwduva/FV6 YhZZ9vJ3biNOgFwLP2/F1nu8pE4V18R7aJpb3qPjijKyPLhwEicv/9Ofp69UJZQ05qAm PgkQ== X-Received: by 10.194.185.113 with SMTP id fb17mr20527157wjc.29.1393873567261; Mon, 03 Mar 2014 11:06:07 -0800 (PST) Received: from gumby.homeunix.com ([94.195.197.200]) by mx.google.com with ESMTPSA id jw4sm39831214wjc.20.2014.03.03.11.06.06 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Mon, 03 Mar 2014 11:06:06 -0800 (PST) Date: Mon, 3 Mar 2014 19:06:03 +0000 From: RW To: freebsd-questions@freebsd.org Subject: Re: Cryptografically signed ISO images Message-ID: <20140303190603.154b14ec@gumby.homeunix.com> In-Reply-To: <7CE839B022604851BDB431F1AD86AD37@Rivendell> References: <20140302172759.GA4728@hp-netbook.local> <20140303152943.GA5696@hp-netbook.local> <46383.128.135.70.2.1393861805.squirrel@cosmo.uchicago.edu> <20140303160218.072db3fe@gumby.homeunix.com> <39523.128.135.70.2.1393863706.squirrel@cosmo.uchicago.edu> <20140303164050.0482c1e6@gumby.homeunix.com> <7CE839B022604851BDB431F1AD86AD37@Rivendell> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 19:06:10 -0000 On Mon, 3 Mar 2014 19:31:52 +0200 Reko Turja wrote: > -----Original Message----- > From: RW > > On Mon, 3 Mar 2014 10:21:46 -0600 (CST) > Valeri Galtsev wrote: > > >> Yes, but: if you verified the certificate of https host, you can be > >> sure that ftp on the same IP address is owned by the same people. > > > The IP addresses of www.freebsd.org and ftp.freebsd.org are > > different, but even if they weren't that wouldn't protect against > > man-in-the-middle attacks. > > Hmm, grab the sha256 checksum of iso image from > https://freebsd.org -address. Compare the said checksum to the > downloaded image. The certainty that the image isn't tampered with > should be strong enough. We're going in circles. If such HTTPS checksum links exist, they are not obvious. The main ISO links on the "Getting FreeBSD" page go to FTP, the HTTP links on the mirrors page don't appear to support HTTPS.