[idupree]

It's hard to download from Sourceforge using HTTPS. (Or even to use HTTPS to get the SHA hash of a download.) Can you tell me how to do it, so I can download from Sourceforge without risk of a man-in-the-middle modifying the download to, say, contain malicious code?

[simonhn]

Navigating to the directory from the 'Files' tab and clicking the 'i' icon to the right of each filename available for download displays the 'View details' panel with the SHA1 hash of that file. Is that not enough?

[idupree]

No, because you can't access that hash from https://sourceforge.net/ ( https://sourceforge.net/ is just a redirect to http).

It's slightly more of a nuisance for the attacker to modify the hash as well as the file, but if they can modify the .zip you get, then they'll surely have no trouble doing "s/the original zip's hash/their malicious zip's hash/" on all your unauthenticated web traffic too. It's a simpler modification than Upside-Down-Ternet.

In this case, they do need to create a compromised version of the zip before you view the hash, but that can be arranged with good probability by tracking the web pages you visit, pre-computing compromises of popular downloads, and/or slowing down your page load speed to give them enough time to compute and serve you compromised hashes. It wouldn't be too hard for an accomplished Web villain to have a good shot at compromising your computer if you are using public WiFi or they have ISP or NSA level access, provided you download software insecurely. ( My unfortunately ranty blog post on the matter: http://idupree.dreamwidth.org/3233.html )

HTTPS isn't perfect, but it (and/or other cryptographic signing) is the minimum we should accept for downloads of code that can quietly pwn your user account when you run 'make'.