Menu
▾
▴
Re: [Freedos-user] verification checksums should be served over https
|
From: Jerome S. <Je...@Sh...> - 2017-01-28 14:52:34
|
> On Jan 14, 2017, at 2:21 PM, shaclacroi <sha...@fa...> wrote: > > The download page links to checksums at http://www.freedos.org/download/verify.txt -- but since this page isn't available over https, there's no way to confirm the validity of the checksums, since the page could be intercepted and modified by a man-in-the-middle attacker (https://en.wikipedia.org/wiki/Man-in-the-middle_attack). > > As free secure https certficates are now offered by Let's Encrypt (https://letsencrypt.org/), it may be advisable to get https set up for www.freedos.org. > > Alternatively, as I see your hosted on Amazon Web Services, if you're using Elastic Load Balancing or Amazon CloudFront, Amazon's Certificate Manager also offers free https certificates. > > Let me know if I can be of any help. If you are still concerned that your download might have been compromised by a MIM, you can get copies of the MD5 & SHA256 hash values or even the download the entire release media from my server https://fd.lod.bz <https://fd.lod.bz/> . At present, it contains a mirror of the FreeDOS releases and a FreeDOS compatible software repository. The repo contains all the packages that shipped with FreeDOS 1.0 through 1.2, the official repository and a couple other free software packages that are not in the official repo. Jerome |
