ubuntu-website-content

Ubuntu downloads are insecure

Bug #1454247 reported by Matthew Paul Thomas on 2015-05-12

This bug report is a duplicate of: Bug #1359836: Ubuntu ISOs downloaded insecurely, over HTTP rather than HTTPS. Edit Remove

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	ubuntu-website-content	Incomplete	Wishlist	Unassigned

Bug Description

1. Starting at the ubuntu.com front page, download a copy of Ubuntu.

What happens:
A. <http://www.ubuntu.com/> is served over HTTP.
B. <http://www.ubuntu.com/download> is served over HTTP.
C. <http://www.ubuntu.com/download/desktop> is served over HTTP.
D. <http://www.ubuntu.com/download/desktop/contribute/?version=14.04.2&architecture=amd64> is served over HTTP.
E. <http://www.ubuntu.com/download/desktop/thank-you?country=GB&version=14.04.2&architecture=amd64> is served over HTTP.
F. <http://releases.ubuntu.com/14.04.2/ubuntu-14.04.2-desktop-amd64.iso> is served over HTTP.

An attacker could perform a MITM attack at any of these stages to give you an ISO that seems to be the real Ubuntu, but is actually malware.

What should happen: The image, and all the ubuntu.com pages leading to it, are served over HTTPS.

This might be dependent on moving www.ubuntu.com to HTTPS generally (see also bug 1385886), but switching releases.ubuntu.com to HTTPS is also necessary and could be worked on in parallel.

Matthew Paul Thomas (mpt) on 2015-05-12

information type:

Proprietary → Private Security

Revision history for this message

Peter Mahnke (peterm-ubuntu) wrote on 2015-06-11:

I have passed this to IS

Changed in ubuntu-website-content:
importance:	Undecided → Wishlist
status:	New → Triaged

Revision history for this message

Matthew Paul Thomas (mpt) wrote on 2015-09-16:

Setting to public, as there are no confidential details here and the issue has been raised on ubuntu-devel-discuss@. <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2015-September/thread.html#15819>

information type:

Private Security → Public Security

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2016-01-21:

After downloading the image F, one should proceed to verify its authenticity.

1) download checksums
2) download GPG signatures on those checksums
3) verify GPG signature
4) compare checksums of the image downloaded with the signed ones

All of the above mentioned things are available from http://releases.ubuntu.com/

e.g. For trusty
http://releases.ubuntu.com/trusty/SHA256SUMS
http://releases.ubuntu.com/trusty/SHA256SUMS.gpg

And the keys used to sign these, are in the global strongly connected GnuPG web of trust set. And one can establish a trust path to said key, via real humans. (Most ubuntu and debian developers).

However, I do take that this is slightly obscure. However, we will not rely on TLS (SSL) as that opens us up to all the TLS/SSL server and client side vulnerabilities as well as rogue CA, whilst limiting our ability to utilise CDN, mirror network and country specific mirrors.

An easier way to grab and validate checksums and GPG signatures would be nice. Imho web browsers should be able to find and validate those.

Changed in ubuntu-website-content:
status:	Triaged → Incomplete

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicate of bug #1359836 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.