From owner-freebsd-questions@FreeBSD.ORG Mon Mar 3 16:40:56 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F1F99498 for ; Mon, 3 Mar 2014 16:40:56 +0000 (UTC) Received: from mail-we0-x234.google.com (mail-we0-x234.google.com [IPv6:2a00:1450:400c:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8870DD36 for ; Mon, 3 Mar 2014 16:40:56 +0000 (UTC) Received: by mail-we0-f180.google.com with SMTP id p61so2331073wes.39 for ; Mon, 03 Mar 2014 08:40:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=H6rKm2GYdLLIOxT3H9LfA8HJksCrV1N4St2dXqknPoA=; b=ibCTD53ahRLK76e7SJ6j8pv3fY+avwSOeeUoO1Y3dUL9TVCtEZXaDfff/TdQn3qY+q k7I/DrZIFeEo45bgSfWtN6iX1YDx/TZyLZUGHe+aWMm2rsRSXKPvwulFdQMknVD6Lf3n 2iZmDDj6lYI+LohaluyP7D4lEvTGPSQcgRyGiJPcdC+7Cy8WvRTAT6TbakKJ4+EQ2EsA 2duokhbfr/acTTHtXckIwkPMARcNpbM0VSrdj+rJJ8/U30DYwV83uDbA7vNbR4bGiGEU L9LSr4E6nT7u/cYCReZqBeVFUTJUC7E+ZNKQ/Yl5ir9FbxQHLOReI6mpQgwoEwMP15+6 3+NA== X-Received: by 10.194.63.103 with SMTP id f7mr19531791wjs.38.1393864854964; Mon, 03 Mar 2014 08:40:54 -0800 (PST) Received: from gumby.homeunix.com ([94.195.197.200]) by mx.google.com with ESMTPSA id br10sm37696034wjb.3.2014.03.03.08.40.53 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Mon, 03 Mar 2014 08:40:54 -0800 (PST) Date: Mon, 3 Mar 2014 16:40:50 +0000 From: RW To: freebsd-questions@freebsd.org Subject: Re: Cryptografically signed ISO images Message-ID: <20140303164050.0482c1e6@gumby.homeunix.com> In-Reply-To: <39523.128.135.70.2.1393863706.squirrel@cosmo.uchicago.edu> References: <20140302172759.GA4728@hp-netbook.local> <20140303152943.GA5696@hp-netbook.local> <46383.128.135.70.2.1393861805.squirrel@cosmo.uchicago.edu> <20140303160218.072db3fe@gumby.homeunix.com> <39523.128.135.70.2.1393863706.squirrel@cosmo.uchicago.edu> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Mar 2014 16:40:57 -0000 On Mon, 3 Mar 2014 10:21:46 -0600 (CST) Valeri Galtsev wrote: > > On Mon, March 3, 2014 10:02 am, RW wrote: > > That's fine if you can download the checksum files by HTTPS, but on > > an FTP server it's no more that a check against corruption. > > Yes, but: if you verified the certificate of https host, you can be > sure that ftp on the same IP address is owned by the same people. The IP addresses of www.freebsd.org and ftp.freebsd.org are different, but even if they weren't that wouldn't protect against man-in-the-middle attacks.