Recommended ISO checksums hosted on mirror, security risk

[andrew_nz]

First off I'm a big Linux Mint fan and want to send a thanks to everyone that makes it possible.

A large part of verifying a Linux ISO is knowing for sure it has not been modified by a middleman. Distributions should host the check sums on an there official website (eg linuxmint.com) the file is tiny and shouldn't be a bandwidth issue.

Solus, Elementary OS (and others) also lists the check sums on there actual site in a normal HTML page so there's no confusion.

Having the main check sum links pointing to a random mirror (and nothing in the HTML of the download page) like Linux Mint is currently doing means someone could possibly change those check sums to match there malicious ISO.

I'm given these addresses when I click on the check sum links on the official download page (https://linuxmint.com/edition.php?id=292)

https://ftp.heanet.ie/mirrors/linuxmint ... 256sum.txt

https://ftp.heanet.ie/mirrors/linuxmint ... um.txt.gpg

[AZgl1800]

I use the checksum from Mint's server, then download the ISO from a mirror

[andrew_nz]

I use the checksum from Mint's server, then download the ISO from a mirror

The check sums Linux Mint asks people to use on the official download page are hosted at https://ftp.heanet.ie

[t42]

Having the main check sum links pointing to a random mirror (and nothing in the HTML of the download page) like Linux Mint is currently doing means someone could possibly change those check sums to match there malicious ISO.

It makes no difference from where the files and their signatures were downloaded. The file containing checksums is cryptographically signed. The signature is verified using the Linux Mint signing public key with fingerprint 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09. If the data in the signed document were modified in any way, a verification of the signature will fail.

[andrew_nz]

Having the main check sum links pointing to a random mirror (and nothing in the HTML of the download page) like Linux Mint is currently doing means someone could possibly change those check sums to match there malicious ISO.

It makes no difference from where the files and their signatures were downloaded. The file containing checksums is cryptographically signed. The signature is verified using the Linux Mint signing public key with fingerprint 27DE B156 44C6 B3CF 3BD7 D291 300F 846B A25B AE09. If the data in the signed document were modified in any way, a verification of the signature will fail.

In my experience the majority of people use the sha256sum command to check ISOs , this is a method Linux Mint officially endorses.

It already looks like a middleman attack, it looks like the links to the text file with the checksums (and less importantly the GPG file) have been changed to a random website (a university in Ireland, "Ireland’s National Education and Research Network ".)

Whoever has access (students, teachers, IT staff) or gains access to the university servers could change the checksums in the text file (that is on all the official Linux Mint download pages) and the Linux Mint ISOs to that of malicious ISOs.

How can someone be sure that's not already the case? (With the checksums being on such an obscure sounding website.)

Linux Mint has had something very similar happen in the past.

There is a reason almost all other distros host the checksums on there official servers. Listing it in the HTML is even better (which most also do.)

[t42]

In my experience the majority of people use the sha256sum command to check ISOs , this is a method Linux Mint officially endorses.

It already looks like a middleman attack, it looks like the links to the text file with the checksums (and less importantly the GPG file) have been changed to a random website (a university in Ireland, "Ireland’s National Education and Research Network ".)

Whoever has access (students, teachers, IT staff) or gains access to the university servers could change the checksums in the text file (that is on all the official Linux Mint download pages) and the Linux Mint ISOs to that of malicious ISOs.

How can someone be sure that's not already the case? (With the checksums being on such an obscure sounding website.)

Linux Mint has had something very similar happen in the past.

There is a reason almost all other distros host the checksums on there official servers. Listing it in the HTML is even better (which most also do.)

How Do I Verify a PGP Signature?

[andrew_nz]

In my experience the majority of people use the sha256sum command to check ISOs , this is a method Linux Mint officially endorses.

It already looks like a middleman attack, it looks like the links to the text file with the checksums (and less importantly the GPG file) have been changed to a random website (a university in Ireland, "Ireland’s National Education and Research Network ".)

Whoever has access (students, teachers, IT staff) or gains access to the university servers could change the checksums in the text file (that is on all the official Linux Mint download pages) and the Linux Mint ISOs to that of malicious ISOs.

How can someone be sure that's not already the case? (With the checksums being on such an obscure sounding website.)

Linux Mint has had something very similar happen in the past.

There is a reason almost all other distros host the checksums on there official servers. Listing it in the HTML is even better (which most also do.)

How Do I Verify a PGP Signature?

So never mind the fact Linux Mint asks users to check using sha256sum on each download page and in there official read me doc? A method which is usually very safe.

https://blog.linuxmint.com/?p=2994

https://www.trendmicro.com/vinfo/fr/sec ... a-backdoor

Your decision not mine. Fingers crossed.

[rene]

So never mind the fact Linux Mint asks users to check using sha256sum on each download page and in there official read me doc?

Linux Mint does not ask users to "check using sha256sum". It asks users to verify the .iso against sha256sum.txt and then to verify sha256sum.txt using gpg; c.f. https://linuxmint-installation-guide.re ... erify.html. The sha256sum check is used and described only as a first, integrity check, i.e., to guard against corrupted downloads. The second part is what you are on about.

That second cryptographic part is a lot harder to compromise generally than is your suggestion of a single, possibly hackable webpage as the source for the sha256sums, and the reason that Linux Mint then doesn't also put the sha256sums up online is that this would amount to official endorsement of using only the first part of the process rather than doing it right --- I suppose. Because just look at yourself as an example: while allegedly concerned about security enough to post about the issue that second step is seemingly still too much to ask of you.

Note, "I suppose" because, no, not his decision, nor mine: you are on a user forum talking to users and not to Linux Mint. Personally I'm somewhat non-paranoid and have been known to suggest to particularly technically challenged new users to do only the first sha256sum integrity check or even to not bother at all, but I'm not Linux Mint. Linux Mint will need to promote the better, more secure method. Again personally: for those for whom said better and more secure method is too much to ask... <shrug>

[andrew_nz]

So never mind the fact Linux Mint asks users to check using sha256sum on each download page and in there official read me doc?

Linux Mint does not ask users to "check using sha256sum". It asks users to verify the .iso against sha256sum.txt and then to verify sha256sum.txt using gpg; c.f. https://linuxmint-installation-guide.re ... erify.html. The sha256sum check is used and described only as a first, integrity check, i.e., to guard against corrupted downloads. The second part is what you are on about.

That second cryptographic part is a lot harder to compromise generally than is your suggestion of a single, possibly hackable webpage as the source for the sha256sums, and the reason that Linux Mint then doesn't also put the sha256sums up online is that this would amount to official endorsement of using only the first part of the process rather than doing it right --- I suppose. Because just look at yourself as an example: while allegedly concerned about security enough to post about the issue that second step is seemingly still too much to ask of you.

Note, "I suppose" because, no, not his decision, nor mine: you are on a user forum talking to users and not to Linux Mint. Personally I'm somewhat non-paranoid and have been known to suggest to particularly technically challenged new users to do only the first sha256sum integrity check or even to not bother at all, but I'm not Linux Mint. Linux Mint will need to promote the better, more secure method. Again personally: for those for whom said better and more secure method is too much to ask... <shrug>

Checking a sha256 sum is the only thing many distros recommend on there download page and if it is hosted on the official domain or just listed in it's HTML it is a secure method. After Linux Mint was hacked that's the method they recommended to avoid the malicious ISO.

Linux Mint probably has more Windows adopters than any other distro , what are the chances someone on Windows would use the PGP method? Linux Mint doesn't even tell them how to.

[andrew_nz]

Is there a reason to trust that Irish university more than there official domain? I'd assume not. Who knows.

[rene]

It just seems a bit mad that the one distro that has dealt with a malicious ISO hack doesn't do this tiny change that could make a big difference.

As was just explained, the one distro that has dealt with a malicious ISO hack has elected for the technically superior method of cryptographic verification that is in place currently, and as a result of that very episode 6 years ago. You state that if the checksums are "hosted on the official domain or in it's HTML it is a secure method" but without justification for such: webservers can be compromised and this is in fact precisely what happened back then: the Linux Mint website got hacked to link to a backdoored .iso. Not anything to do with checksums which would/could moreover have been changed right alongside the link if they would have had, so pray tell, how is this thing that those "many other distros recommend" in fact a better thing rather than a worse thing?

Technically. Linux Mint has at the moment an explicitly secured server also for e.g. distributing the key fingerprint and I've frankly also considered that putting the checksums up there as well could be beneficial for e.g. Windows users -- but said server being very explicitly hard to change things around on might of course have something to do with things, even if my earlier "official endorsement of lesser method" wouldn't have.

The thing you seem to not acknowledge is that Linux Mint has at the moment elected for a to your suggestion and to those many other distribution's methods technically superior scheme, and specifically as a result of seeing your suggestion compromised once already. If the remaining argument is the social one I'm not all that interested: for Linux users the linked authentication instructions are easy; those amongst Linux users who waffle on about security while being too incompetent and/or intellectually lazy to use those easy instructions I'd see Darwin-ed out of here sooner rather than later anyway. Windows users admittedly perhaps not so much, and that's the context in which I've here suggested not bothering with the authentication step; can after all just verify sums from the web at large and/or from this forum specifically, and we're talking about one-in-a-millions anyway, and in which context I've as said considered that putting the sums on a secured server could be good.

Your statement of things being secure when "hosted on the official domain or in it's HTML" is in any case simply untrue and that makes your suggestion not useful as such: a compromised website is the very thing that once was the problem and the thing that is being defended against; as to why the currently also active explicitly secured server is not the answer relies on details of the internal Linux Mint network infrastructure to which you nor I am privy.

Note by the way that Linux Mint is located in Ireland. The Heanet server is "the official/first Linux Mint server" in any sense in which any such exists in the first place.

[JoeFootball]

... official download page are hosted at https://ftp.heanet.ie

Which is the official source from which all other mirrors propagate.

Linux Mint doesn't even tell them how to.

Sure they do. See the "Authenticity check" section of the instructions.

[andrew_nz]

It just seems a bit mad that the one distro that has dealt with a malicious ISO hack doesn't do this tiny change that could make a big difference.

As was just explained, the one distro that has dealt with a malicious ISO hack has elected for the technically superior method of cryptographic verification that is in place currently, and as a result of that very episode 6 years ago. You state that if the checksums are "hosted on the official domain or in it's HTML it is a secure method" but without justification for such: webservers can be compromised and this is in fact precisely what happened back then: the Linux Mint website got hacked to link to a backdoored .iso. Not anything to do with checksums which would/could moreover have been changed right alongside the link if they would have had, so pray tell, how is this thing that those "many other distros recommend" in fact a better thing rather than a worse thing?

Technically. Linux Mint has at the moment an explicitly secured server also for e.g. distributing the key fingerprint and I've frankly also considered that putting the checksums up there as well could be beneficial for e.g. Windows users -- but said server being very explicitly hard to change things around on might of course have something to do with things, even if my earlier "official endorsement of lesser method" wouldn't have.

The thing you seem to not acknowledge is that Linux Mint has at the moment elected for a to your suggestion and to those many other distribution's methods technically superior scheme, and specifically as a result of seeing your suggestion compromised once already. If the remaining argument is the social one I'm not all that interested: for Linux users the linked authentication instructions are easy; those amongst Linux users who waffle on about security while being too incompetent and/or intellectually lazy to use those easy instructions I'd see Darwin-ed out of here sooner rather than later anyway. Windows users admittedly perhaps not so much, and that's the context in which I've here suggested not bothering with the authentication step; can after all just verify sums from the web at large and/or from this forum specifically, and we're talking about one-in-a-millions anyway, and in which context I've as said considered that putting the sums on a secured server could be good.

Your statement of things being secure when "hosted on the official domain or in it's HTML" is in any case simply untrue and that makes your suggestion not useful as such: a compromised website is the very thing that once was the problem and the thing that is being defended against; as to why the currently also active explicitly secured server is not the answer relies on details of the internal Linux Mint network infrastructure to which you nor I am privy.

Note by the way that Linux Mint is located in Ireland. The Heanet server is "the official/first Linux Mint server" in any sense in which any such exists in the first place.

The reason it's better is because generally speaking a distribution has a huge amount of confidence in the security of there official server, the server they have complete control over.

That is a fundamental part of using safe software. Official sources. If you can't admit that I don't think your looking at this in a logical impartial way.

[andrew_nz]

Deleted , phone crashed didn't look the previous post went through but it eventually did.

[rene]

Shall leave it at the observation that by and large any organization that was ever hacked had "a huge amount of confidence" in their infrastructure right up until that point then. You were now duly informed as to the authentication step being an integral part of the procedure. Use that newly acquired knowledge or don't use it -- but your suggestion is still rubbish in the described sense.

[andrew_nz]

Shall leave it at the observation that by and large any organization that was ever hacked had "a huge amount of confidence" in their infrastructure right up until that point then. You were now duly informed as to the authentication step being an integral part of the procedure. Use that newly acquired knowledge or don't use it -- but your suggestion is still rubbish in the described sense.

How would someone know https://ftp.heanet.ie is even affiliated with Linux Mint , it looks like a hack. Your not looking at this logically.

[andrew_nz]

Unfair for you to say rubbish when almost every distribution backs up what I'm saying.

At the end of the day what your saying is it's being done the way it is because the security at that university (https://ftp.heanet.ie/) is superior to the official domain. If anyone is browsing this thread, there is your answer.

What I said about using official domains to download safe software is backed up by every security expert on the planet.