Cryptografically signed ISO images
Reko Turja
reko.turja at liukuma.net
Mon Mar 3 17:41:46 UTC 2014
-----Original Message-----
From: RW
On Mon, 3 Mar 2014 10:21:46 -0600 (CST)
Valeri Galtsev wrote:
>> Yes, but: if you verified the certificate of https host, you can be
>> sure that ftp on the same IP address is owned by the same people.
> The IP addresses of www.freebsd.org and ftp.freebsd.org are
> different, but even if they weren't that wouldn't protect against
> man-in-the-middle attacks.
Hmm, grab the sha256 checksum of iso image from
https://freebsd.org -address. Compare the said checksum to the downloaded
image. The certainty that the image isn't tampered with should be strong
enough.
Of course, FreeBSD org CA and certificates could be compromised - or the
access to web server - but so could be the PGP keys used for signing. Lot's
of extra hassle IMO with no real extra security benefit.
-Reko
More information about the freebsd-questions
mailing list