This therefore might delude people into a false sense of security: both in the sense that
1. MD5/SHA1 look more secure than they are recognized to be
The - perhaps alphabetical - list of files begins with these, like as if they were that important, not the fallback option: so users may get tempted to verify only these outdated measures, both for Ubuntu and - more worryingly - as the poor practice of today keeps being in use at a relatively renowned location, other downloads
2. MD5-verified hashes feel sufficient specifically for these Ubuntu downloads
However, an OS can intercept anything you do using it - that includes all the passwords you typed in, the data that was transmitted/received, etc..
Good thing: the Ubuntu 20.04 ISO comes via HTTPS (finally), as well as the corresponding hashes. I don't think it was the case in December.
---
Bad things at https://lubuntu.me/downloads/
1. When going for the magnet link, it leads to
http://cdimage.ubuntu.com/lubuntu/releases/20.04/release/lubuntu-20.04-desktop-amd64.iso
2. MD5 is explicitly encouraged
"Note: make sure to verify the integrity (md5sums)"
Probably very bad things
at http://cdimage.ubuntu.com: cdimage.ubuntu.com isn't accessible via https at all.
Theoretically in this case, man-in-the-middle attacks could be carried out to relatively easily and consistently compromise the hash files as well as the ISO files from the same source, so basically anything could be installed instead of your much trusted Linux OS.
And this I think is that comprehensive repository of files that you, as a layman, would trust - it looks probably as geeky as it could ever get on the graphical web:
The best thing is I just wanted to install a Lubuntu ... and I'm left without a thought :) is the one that came through Torrent safe enough? Should I just get bored and trust my luck? o.O
Update: the MD5 file pointed to here actually contains a single MD5, exposed via plain HTTP. 😭😭😭
http://cdimage.ubuntu.com/lubuntu/releases/focal/release/MD5SUMS
Jesus Christ.
UPDATE: okay, I'm dreadfully wrong here :) Lubuntu is fine.
Although ... well, frankly, I just read the sentence to "verify md5", then did (was a bit pissed off and took a mental note already of its insufficiency), then went on ...
One thing: people don't want to read. Then what you get is unread stuff - like the continuation. I knew I'd be able to verify an md5. They provide more info in the 'read more' section.
Irrespective, I carried on for an attempt, but Lubuntu wanted 8 GB of disk space so I felt like it isn't lightweight anymore in exactly the way I would expect a lightweight thing to be lightweight and searched on.
Paving my way through the search hits, I got reminded of Puppy Linux.
Then Puppy will initially steer you towards downloading every single bit via HTTP (nooo....) and verifying against those hashes. So I don't think it's too fine there either. Now I'm tempted to not download anything that comes up with a http:// URL even for the referring website. (Theoretically those links could, had they pointed to https content, be tampered with even ... although that'd be a difficult job in some ways - https does mean some guarantee about the identity of the target web site. Nevertheless, the typical steps to download your first Puppy first take you to http://puppylinux.com/download.html, then to http://murga-linux.com/puppy/viewtopic.php?t=113244 where you get an ISO with an md5 ... and yes, no PGP there, no emphasized SHA, and no highlighting the HTTPS ... OMG, why.
But: this site (distro.ibiblio.org) is accessible via https, if you are keen. Are you?
(I think there really should be a HTTPS redirect.)
If I had been deceived (probably on multiple occasions) in the past, I can't help wondering how many people could have obtained their safe & secure OS in an unsafe and unsecure way so far...?
Anyway, it was only after this that I made a complete fool out of myself on the Lubuntu forums <shakes hand with himself complacently/>, asking for a safe download method.
Well, the default/consistent use of HTTPS, as you see, could prevent some insecure situations, whether or not their prevalence additionally depends on the users' level of expertise.
Short takeaway: Lubuntu does offer a way (considered safe) to verify the authenticity of the download - the PGP. This (at least recent versions) is safe to download over plain HTTP (because it is difficult to forge).
Never forget!
(And please use HTTPS on your servers if it doesn't cost you too much ... and there's always letsencrypt, at the very least.)
