Comment 1 for bug 1219589

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Our distribution directories such as have SHA256SUMS and SHA256SUMS.gpg files that would be safer to use -- the SHA256SUMS file is gpg signed with a detached signature, and this does a significantly better job protecting the data you care about -- the hash of the ISO.

HTTPS is convenient, but someone in a position to perform a DNS poisoning attack and convince one of the many certificate authorities to issue a fraudulent certificate can bypass the HTTPS verifications easily.