verification checksums should be served over https

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

verification checksums should be served over https

shaclacroi
The download page links to checksums at http://www.freedos.org/download/verify.txt -- but since this page isn't available over https, there's no way to confirm the validity of the checksums, since the page could be intercepted and modified by a man-in-the-middle attacker (https://en.wikipedia.org/wiki/Man-in-the-middle_attack).
 
As free secure https certficates are now offered by Let's Encrypt (https://letsencrypt.org/), it may be advisable to get https set up for www.freedos.org.
 
Alternatively, as I see your hosted on Amazon Web Services, if you're using Elastic Load Balancing or Amazon CloudFront, Amazon's Certificate Manager also offers free https certificates.
 
Let me know if I can be of any help.

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Freedos-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/freedos-user
Reply | Threaded
Open this post in threaded view
|

Re: verification checksums should be served over https

Jim Hall-2
Setting up the www server with https has been on my to-do list for too long. I suppose this is my reminder to finally do that.



On Jan 14, 2017 1:34 PM, "shaclacroi" <[hidden email]> wrote:
The download page links to checksums at http://www.freedos.org/download/verify.txt -- but since this page isn't available over https, there's no way to confirm the validity of the checksums, since the page could be intercepted and modified by a man-in-the-middle attacker (https://en.wikipedia.org/wiki/Man-in-the-middle_attack).
 
As free secure https certficates are now offered by Let's Encrypt (https://letsencrypt.org/), it may be advisable to get https set up for www.freedos.org.
 
Alternatively, as I see your hosted on Amazon Web Services, if you're using Elastic Load Balancing or Amazon CloudFront, Amazon's Certificate Manager also offers free https certificates.
 
Let me know if I can be of any help.

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Freedos-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/freedos-user


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Freedos-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/freedos-user
Reply | Threaded
Open this post in threaded view
|

Re: verification checksums should be served over https

Louis Santillan
In reply to this post by shaclacroi
I would not be lured into a false sense of security provided by
browser makers and their insistence that the safest form of browsing
is over HTTPS.   You can still be easily MITM'd with captive portals,
gateway content inspection/injection, DNS forgery, via proxy content
injection, your ad blocker or browser extensions profile and probably
another half dozen easily implemented exploits.  Heck, your browser
can even  become part of the MITM exploit.

I'll intentionally misquote a saying I've heard about rules & law;
"[Encryption standards] aren't made to keep the bad guys out; they're
made to keep the good guys in."


On Sat, Jan 14, 2017 at 11:21 AM, shaclacroi <[hidden email]> wrote:

> The download page links to checksums at
> http://www.freedos.org/download/verify.txt -- but since this page isn't
> available over https, there's no way to confirm the validity of the
> checksums, since the page could be intercepted and modified by a
> man-in-the-middle attacker
> (https://en.wikipedia.org/wiki/Man-in-the-middle_attack).
>
> As free secure https certficates are now offered by Let's Encrypt
> (https://letsencrypt.org/), it may be advisable to get https set up for
> www.freedos.org.
>
> Alternatively, as I see your hosted on Amazon Web Services, if you're using
> Elastic Load Balancing or Amazon CloudFront, Amazon's Certificate Manager
> also offers free https certificates.
>
> Let me know if I can be of any help.
>
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> _______________________________________________
> Freedos-user mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/freedos-user
>

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Freedos-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/freedos-user
Reply | Threaded
Open this post in threaded view
|

Re: verification checksums should be served over https

shaclacroi
Louis,
 
There are a few important points to make in response to what you said ...
 
1) We're not talking about merely browsing; we're talking about downloading and verifying software that will run on your computer. Without verification information being provided over https, there's absolutely no protection from a man-in-the-middle causing you to download a maliciously compromised version of the software from another server.
 
2) Apart from locally installed software or configuration (which you are responsible for and implicitly trust on your own computer), the examples of man-in-the-middle possibilities you list are ones that are protected by using https. That is, if I were going to download and verify FreeDOS, I would ensure that the verification checksums were served over https. When I attempted to load the checksums over https, if a captive portal intercepted the request, my browser would inform me that the MiTM doesn't have a matching certificate (unless my browser has been specially configured to trust the certificate of that captive portal, which means either I did it or I'm using some other organization's computer and accept the consequences). Additionally, a gateway cannot inspect or inject content going through https unless the computer initiating the request is specially configured to trust certificates created by that gateway, so if one that hasn't been trusted tries, you get a browser error just the same. DNS forgery would result in the same -- your browser would tell you that the server you're connecting to doesn't have a matching certificate. Proxy content injection -- same story. These are all examples of where user vigilance in ensuring they are getting the verification information over https protects the user from a MiTM attack. On the other hand, your browser and extensions you use could indeed modify the contents of https communcations -- but this is locally installed and configured software that the user has chosen to trust.
 
The certificate system isn't perfect, but it's considerably better than nothing.
 
Sent: Sunday, January 15, 2017 at 12:43 AM
From: "Louis Santillan" <[hidden email]>
To: "Discussion and general questions about FreeDOS." <[hidden email]>
Subject: Re: [Freedos-user] verification checksums should be served over https
I would not be lured into a false sense of security provided by
browser makers and their insistence that the safest form of browsing
is over HTTPS. You can still be easily MITM'd with captive portals,
gateway content inspection/injection, DNS forgery, via proxy content
injection, your ad blocker or browser extensions profile and probably
another half dozen easily implemented exploits. Heck, your browser
can even become part of the MITM exploit.

I'll intentionally misquote a saying I've heard about rules & law;
"[Encryption standards] aren't made to keep the bad guys out; they're
made to keep the good guys in."


On Sat, Jan 14, 2017 at 11:21 AM, shaclacroi <[hidden email]> wrote:
> The download page links to checksums at
> http://www.freedos.org/download/verify.txt -- but since this page isn't
> available over https, there's no way to confirm the validity of the
> checksums, since the page could be intercepted and modified by a
> man-in-the-middle attacker
> (https://en.wikipedia.org/wiki/Man-in-the-middle_attack).
>
> As free secure https certficates are now offered by Let's Encrypt
> (https://letsencrypt.org/), it may be advisable to get https set up for
> www.freedos.org.
>
> Alternatively, as I see your hosted on Amazon Web Services, if you're using
> Elastic Load Balancing or Amazon CloudFront, Amazon's Certificate Manager
> also offers free https certificates.
>
> Let me know if I can be of any help.
>
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> _______________________________________________
> Freedos-user mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/freedos-user
>

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Freedos-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/freedos-user
 
 

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Freedos-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/freedos-user
Reply | Threaded
Open this post in threaded view
|

Re: verification checksums should be served over https

Dale E Sterner
In reply to this post by shaclacroi
I'm ignorant; what does MITM'd mean. I'm a computer guru.

thanks
DS



On Sat, 14 Jan 2017 21:43:17 -0800 Louis Santillan <[hidden email]>
writes:

> I would not be lured into a false sense of security provided by
> browser makers and their insistence that the safest form of browsing
> is over HTTPS.   You can still be easily MITM'd with captive
> portals,
> gateway content inspection/injection, DNS forgery, via proxy content
> injection, your ad blocker or browser extensions profile and
> probably
> another half dozen easily implemented exploits.  Heck, your browser
> can even  become part of the MITM exploit.
>
> I'll intentionally misquote a saying I've heard about rules & law;
> "[Encryption standards] aren't made to keep the bad guys out;
> they're
> made to keep the good guys in."
>
>
> On Sat, Jan 14, 2017 at 11:21 AM, shaclacroi
> <[hidden email]> wrote:
> > The download page links to checksums at
> > http://www.freedos.org/download/verify.txt -- but since this page
> isn't
> > available over https, there's no way to confirm the validity of
> the
> > checksums, since the page could be intercepted and modified by a
> > man-in-the-middle attacker
> > (https://en.wikipedia.org/wiki/Man-in-the-middle_attack).
> >
> > As free secure https certficates are now offered by Let's Encrypt
> > (https://letsencrypt.org/), it may be advisable to get https set
> up for
> > www.freedos.org.
> >
> > Alternatively, as I see your hosted on Amazon Web Services, if
> you're using
> > Elastic Load Balancing or Amazon CloudFront, Amazon's Certificate
> Manager
> > also offers free https certificates.
> >
> > Let me know if I can be of any help.
> >
> >
>
-------------------------------------------------------------------------
-----

> > Developer Access Program for Intel Xeon Phi Processors
> > Access to Intel Xeon Phi processor-based developer platforms.
> > With one year of Intel Parallel Studio XE.
> > Training and support from Colfax.
> > Order your platform today. http://sdm.link/xeonphi
> > _______________________________________________
> > Freedos-user mailing list
> > [hidden email]
> > https://lists.sourceforge.net/lists/listinfo/freedos-user
> >
>
>
-------------------------------------------------------------------------
-----

> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> _______________________________________________
> Freedos-user mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/freedos-user
>


******************************************************>>>>
>From Dale Sterner - MS organic chemistry
http://pubs.acs.org/doi/abs/10.1021/jo00975a052
*******************************************************>>>>

____________________________________________________________
(1) Easy Trick "Removes" Eyebags & Wrinkles
Daily Tiply
http://thirdpartyoffers.juno.com/TGL3141/587ba1c653e3021c6616fst01duc

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Freedos-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/freedos-user
Reply | Threaded
Open this post in threaded view
|

Re: verification checksums should be served over https

Dale E Sterner
In reply to this post by shaclacroi
My reply should have read that I'm NOT a computer
guru. I miss out when I don't understand the content.

cheers
DS


On Sat, 14 Jan 2017 21:43:17 -0800 Louis Santillan <[hidden email]>
writes:

> I would not be lured into a false sense of security provided by
> browser makers and their insistence that the safest form of browsing
> is over HTTPS.   You can still be easily MITM'd with captive
> portals,
> gateway content inspection/injection, DNS forgery, via proxy content
> injection, your ad blocker or browser extensions profile and
> probably
> another half dozen easily implemented exploits.  Heck, your browser
> can even  become part of the MITM exploit.
>
> I'll intentionally misquote a saying I've heard about rules & law;
> "[Encryption standards] aren't made to keep the bad guys out;
> they're
> made to keep the good guys in."
>
>
> On Sat, Jan 14, 2017 at 11:21 AM, shaclacroi
> <[hidden email]> wrote:
> > The download page links to checksums at
> > http://www.freedos.org/download/verify.txt -- but since this page
> isn't
> > available over https, there's no way to confirm the validity of
> the
> > checksums, since the page could be intercepted and modified by a
> > man-in-the-middle attacker
> > (https://en.wikipedia.org/wiki/Man-in-the-middle_attack).
> >
> > As free secure https certficates are now offered by Let's Encrypt
> > (https://letsencrypt.org/), it may be advisable to get https set
> up for
> > www.freedos.org.
> >
> > Alternatively, as I see your hosted on Amazon Web Services, if
> you're using
> > Elastic Load Balancing or Amazon CloudFront, Amazon's Certificate
> Manager
> > also offers free https certificates.
> >
> > Let me know if I can be of any help.
> >
> >
>
-------------------------------------------------------------------------
-----

> > Developer Access Program for Intel Xeon Phi Processors
> > Access to Intel Xeon Phi processor-based developer platforms.
> > With one year of Intel Parallel Studio XE.
> > Training and support from Colfax.
> > Order your platform today. http://sdm.link/xeonphi
> > _______________________________________________
> > Freedos-user mailing list
> > [hidden email]
> > https://lists.sourceforge.net/lists/listinfo/freedos-user
> >
>
>
-------------------------------------------------------------------------
-----

> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> _______________________________________________
> Freedos-user mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/freedos-user
>


******************************************************>>>>
>From Dale Sterner - MS organic chemistry
http://pubs.acs.org/doi/abs/10.1021/jo00975a052
*******************************************************>>>>

____________________________________________________________
Warning: Don't Use Probiotics Before You See This
Gundry MD
http://thirdpartyoffers.juno.com/TGL3141/587ba64e4d8a9264e4f29st01duc

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Freedos-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/freedos-user
Reply | Threaded
Open this post in threaded view
|

Re: verification checksums should be served over https

perditionc
In reply to this post by Dale E Sterner
On Jan 15, 2017 11:23 AM, "Dale E Sterner" <[hidden email]> wrote:
...
what does MITM'd mean. 
...

man in the middle

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Freedos-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/freedos-user
Reply | Threaded
Open this post in threaded view
|

Re: verification checksums should be served over https

Dale E Sterner
In reply to this post by shaclacroi
Thanks. A new technical term. It would have taken a
long time to get that one.

thanks DS



On Sun, 15 Jan 2017 11:47:17 -0500 [hidden email] writes:
> On Jan 15, 2017 11:23 AM, "Dale E Sterner" <[hidden email]>
> wrote:
> ...
>
> what does MITM'd mean.
>
> ...
>
> man in the middle


******************************************************>>>>
>From Dale Sterner - MS organic chemistry
http://pubs.acs.org/doi/abs/10.1021/jo00975a052
*******************************************************>>>>

____________________________________________________________
Megyn Kelly Exposed By Fox - You Won't Believe What She Did!
allaccesspolitics.com
http://thirdpartyoffers.juno.com/TGL3141/587ce3ee9d78163ee60c1st01duc

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Freedos-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/freedos-user
Reply | Threaded
Open this post in threaded view
|

Re: verification checksums should be served over https

Jerome Shidel
In reply to this post by shaclacroi

On Jan 14, 2017, at 2:21 PM, shaclacroi <[hidden email]> wrote:

The download page links to checksums at http://www.freedos.org/download/verify.txt -- but since this page isn't available over https, there's no way to confirm the validity of the checksums, since the page could be intercepted and modified by a man-in-the-middle attacker (https://en.wikipedia.org/wiki/Man-in-the-middle_attack).
 
As free secure https certficates are now offered by Let's Encrypt (https://letsencrypt.org/), it may be advisable to get https set up for www.freedos.org.
 
Alternatively, as I see your hosted on Amazon Web Services, if you're using Elastic Load Balancing or Amazon CloudFront, Amazon's Certificate Manager also offers free https certificates.
 
Let me know if I can be of any help.

If you are still concerned that your download might have been compromised by a MIM, you can get copies of the MD5 & SHA256 hash values or even the download the entire release media from my server https://fd.lod.bz . At present, it contains a mirror of the FreeDOS releases and a FreeDOS compatible software repository. The repo contains all the packages that shipped with FreeDOS 1.0 through 1.2, the official repository and a couple other free software packages that are not in the official repo. 

Jerome


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Freedos-user mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/freedos-user