Ubuntu downloads are insecure
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-website-content |
Incomplete
|
Wishlist
|
Unassigned |
Bug Description
1. Starting at the ubuntu.com front page, download a copy of Ubuntu.
What happens:
A. <http://
B. <http://
C. <http://
D. <http://
E. <http://
F. <http://
An attacker could perform a MITM attack at any of these stages to give you an ISO that seems to be the real Ubuntu, but is actually malware.
What should happen: The image, and all the ubuntu.com pages leading to it, are served over HTTPS.
This might be dependent on moving www.ubuntu.com to HTTPS generally (see also bug 1385886), but switching releases.ubuntu.com to HTTPS is also necessary and could be worked on in parallel.
information type: | Proprietary → Private Security |
I have passed this to IS