Tell HN: Linux Mint still serves their hash sums from http not https

17 points by angry-hacker ↗ HN
You can verify your ISO from downloads page[0] by choosing your version, but when you want to verify the checksum, you are asked to visit a domain http://mint-mirror.gwendallebihan.net to download a file of the hash (and/or gpg key) that is served over plain http[1].

[0]: https://linuxmint.com/verify.php

[1]: http://mint-mirror.gwendallebihan.net/isos/stable/18.1/sha256sum.txt

11 comments

[ 3.2 ms ] story [ 34.3 ms ] thread
They really can't be taken seriously anymore.
Agreed. Its bad that many non tech people still recommend it because they dont are able to understand why its a bad idea...
On a slightly related topic, ubuntu apt-gets are still usually served on http. Dodgy.
I don't know the details but any packages that you get served should include pgp signatures, that apt should verify before installation.
Private keys can be stolen or extracted via bribery, etc.
Are you saying if ubuntu served apt-gets over https, stolen private keys wouldn't be a problem?
Multiple layers of security is industry practice.
Sure. In this particular setting, having both https and pgp is definitely better and a third layer would be even better, though I cannot think of one. Successful transfer from https Ubuntu mirror says my package was not tampered with during transmission, but nothing about the validity and integrity of the package itself. The Ubuntu project most likely does not have absolute control over the various mirrors available to users, so pgp verification provides a further assurance that mere https cannot.

If I had to chose between https and pgp, I would pick pgp. The OpenBSD project has a similar scheme (called signify).

Genuinely curious — how is this a problem since the iso is served over https?
It's not