It would also help a little if they enabled HTTPS on their domains and publish the SHA-256 signatures instead of MD5. They also include external JS from non-HTTPS sources.
My hope here is that this event gets people to start taking malicious-download threats seriously.
I know they should be using actual PGP signatures or whatever instead of just hashes; but:
Choosing to use MD5 at all in 2016 is a sign of negligence and incompetence when it comes to crypto.
There’s no excuse for choosing to use MD5 or SHA1 for anything today.
There’s no excuse for coming up with probably-incorrect handwaving arguments about how “MD5 is broken, but not broken in how we use it” or “we also provide sha1 hashes” instead of replacing it with an actually secure hash (there are faster and more secure hashes out there like blake2b).
Choosing to use MD5 or SHA1 (or other such hallmarks of bad 90s-era civilian cryptography) is as cringeworthy and negligent engineering as the safety engineering in 1960s American cars that ended with “padded dashboards” and 2-point seatbelts and “recessed hub steering wheels”.
If I’ve understood this correctly, in this case it wouldn’t really help? I mean would a regular linux mint user verify it after download?
My take is that the installer should verify itself, something akin to signify on openbsd but for the whole image.
Website vulnerability allowed the attackers to point to a trojaned ISO. It would be interesting to know what the full attack was.
Just WordPress, you know…
Recommended thread: https://www.reddit.com/r/netsec/comments/46ujhv/linux_mint_isos_were_replaced_with_trojanized/