Comment 1 for bug 1219589

Our distribution directories such as http://mirror.anl.gov/pub/ubuntu-iso/DVDs/ubuntu/12.04/release/ have SHA256SUMS and SHA256SUMS.gpg files that would be safer to use -- the SHA256SUMS file is gpg signed with a detached signature, and this does a significantly better job protecting the data you care about -- the hash of the ISO.

HTTPS is convenient, but someone in a position to perform a DNS poisoning attack and convince one of the many certificate authorities to issue a fraudulent certificate can bypass the HTTPS verifications easily.

Thanks