Date: Mon, 3 Mar 2014 19:06:03 +0000 From: RW <rwmaillists@googlemail.com> To: freebsd-questions@freebsd.org Subject: Re: Cryptografically signed ISO images Message-ID: <20140303190603.154b14ec@gumby.homeunix.com> In-Reply-To: <7CE839B022604851BDB431F1AD86AD37@Rivendell> References: <20140302172759.GA4728@hp-netbook.local> <20140303152943.GA5696@hp-netbook.local> <46383.128.135.70.2.1393861805.squirrel@cosmo.uchicago.edu> <20140303160218.072db3fe@gumby.homeunix.com> <39523.128.135.70.2.1393863706.squirrel@cosmo.uchicago.edu> <20140303164050.0482c1e6@gumby.homeunix.com> <7CE839B022604851BDB431F1AD86AD37@Rivendell>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 3 Mar 2014 19:31:52 +0200 Reko Turja wrote: > -----Original Message----- > From: RW > > On Mon, 3 Mar 2014 10:21:46 -0600 (CST) > Valeri Galtsev wrote: > > >> Yes, but: if you verified the certificate of https host, you can be > >> sure that ftp on the same IP address is owned by the same people. > > > The IP addresses of www.freebsd.org and ftp.freebsd.org are > > different, but even if they weren't that wouldn't protect against > > man-in-the-middle attacks. > > Hmm, grab the sha256 checksum of iso image from > https://freebsd.org -address. Compare the said checksum to the > downloaded image. The certainty that the image isn't tampered with > should be strong enough. We're going in circles. If such HTTPS checksum links exist, they are not obvious. The main ISO links on the "Getting FreeBSD" page go to FTP, the HTTP links on the mirrors page don't appear to support HTTPS.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140303190603.154b14ec>