Insecure transport of OI cryptographic digests
Most of the pages that link to the OpenIndiana Hipster images
are served over https. They do contain links to the digest files,
but the files themselves are served in plaintext.
I support the idea of distributing the images in plaintext (e.g. for compression and caching),
however the digests and the signature files are vulnerable if they are not authenticated.
Distributing broken security is often worse than a lack of security,
due to the mismatch between the expectation of the user and reality.
It is also problematic that there are plaintext pages that link to the images,
(e.g: http://dlc-origin.openindiana.org/) as their links to the digest files (or signature files)
may be modified in transit.
I recommend that the digests be literal in the pages that link to the images, instead of linking elsewhere.
I also recommend that the choice of digest algorithm be reconsidered, although that is not urgent.
Simply, if the configuration isn't changed, there is no way to assure the authenticity of the images.
The main site:
and the wiki:
and an insecure page that links to images:
There may be others I am unaware of.
Unfortunately I cannot fix the wiki myself as I have no way to know the correct digests. :)
Updated by Adam Števko over 4 years ago
Can you elaborate what is "broken security" here? 2017.04 release notes contain clear instructions how to verify downloaded ISO medias securely (https://wiki.openindiana.org/oi/2017.04+Release+notes). There is also a mention about what GPG key ID were are using for signing.
If the files were modified in transit, the checksum will change and GPG will warn you about that. In the next release, we will produce <iso>.sig files to make it even simplier.
Just the fact that some parts are not available via HTTPS, doesn't mean that they can't be verified securely, so I consider this as an unjustified.
Updated by Charles Morris over 4 years ago
Even if adding a GPG signature to the latest release of OI had fixed the problem, which it did not,
every other release of OpenIndiana Hipster (18 releases since 2013) is vulnerable to attack.
There exist realistic attack scenarios that make the addition of the GPG signature insufficient,
at least in it's current rendition, although it's a welcome addition so I would suggest you continue to do so.