Hello! I have a bad habit of not verifying linux ISOs, since I’m always downloading them from official websites.
Couple of days ago, I downloaded Fedora ISO, and flashed it with etcher. Download had no problems, and it flashed without problem. Also the install went smootly and the system worked.
However, I have now heard that you should check the iso for malicious content, and that it was not tampered with. This came as a very big surprise, since I have always thought that if you just make sure that the website is the official one, you should be fine. I also now heard that all the download seems to come from mirrors. How big of a chance is there to get an malicious iso from these mirrors? Do fedora team actually verify that these mirrors are working well and that they are legit, and that ISO:s downloaded from these mirrors are safe?
Most of people don’t seem to verify their isos, and for that reason it is a bit worrying that people keep downloading stuff from these mirrors, and they might get something bad to their computer at the kernel level.
So how big of an chance is there that I actually got something very harmful to my computer? I don’t mean errors, but security issues like embedded spyware which shouldn’t be on the iso.
Technically, this is possible if some mirror is compromised by an attacker.
It is unrealistic to verify checksums for all images on all mirrors remotely.
Related links: Learn how to check your downloads
That suggestion has been clearly posted on fedoras download page for a long - long time, as has the checksum file used to verify the integrety of the downloaded image.
There are 2 main vectors for corruption.
- The image itself has been compromised as might happen should a compromised image be uploaded to one of the mirrors. I do not believe this is likely since the method by which the mirrors are kept in sync with the main repo should have checks built in, much like dnf itself verifies package integrity when downloading updates for you.
- Something causes the image you download to get corrupted during the download.
Either of these potential corruptions can quickly be checked and eliminated by doing a quick verification using the provided CHECKSUM files.
The process by which files are transferred from fedora to the mirrors is of course approved, the process of syncing between the fedora main repo and the mirrors is tested and verified, and the likelihood of having malicious code inserted anywhere is extremely tiny. You are much more likely to have corruption occur during the actual download to your system than have malicious code in the packages provided.
I see an occasional corruption message during my regular updates, and it is always detected and corrected by the software before the upgrade actually proceeds. Usually it is a checksum mismatch between the expected and actual downloaded file so it gets downloaded again to be sure the received data is correct. Occasionally there is a problem with a mirror in speed or response and that is handled by switching to a different mirror. All this happens in the background with no need for user action.
The only point where corruption may become an issue is (usually) where the user downloads a file such as the ISO image and fails to verify the download before using it. That leaves a possibility for problems, which though rare, theoretically may occur.
If everyone who downloads an image does check, issues with a mirror site will be discovered relatively quickly. Checking downloads should be considered as helping not only yourself, but others as well.
I see. Thank you for your comprehensive comment. It might have been worth checking the checksum, but it didn’t come to my mind since I have always lived in the reality that these iso files must be completely safe, as long as you download them from the official internet address. Only recently I started researching the matter and I started to get really paranoid, because I wouldn’t want my account passwords and other information to fall into the hands of hackers just because a harmful live-iso has been burned on my stick.
The end user should do that.
The mirrors, OTOH are usually privately owned and I suspect most of them take the responsibility for security strongly. Many are, after all, provided by educational institutions and would take a hit in reputation should data be hacked or malicious code be provided from that source.
For each repo package downloaded and installed dnf does verify the package at the end users machine. With the ISO images that does not happen.
Given the average level of technical literacy in the Fedora community, the window for this vulnerability really shouldn’t be large, but the more users think this way and neglect verifying downloads, the larger the window becomes and the greater the impact could be if such an attack ever happens.
Moreover, a smart attacker can try to confuse the tracks and make the window even larger by serving a compromised image only for a small number of download requests, so most of the downloads for the same image will be normal, and a few may look just accidentally corrupted, but in fact will be tampered.
Just to add if you use Fedora media writer to copy the iso to the usb it will check that iso and when you start the iso it will give an option to test before installing or starting it will also check the iso.
For those who care about security, it is good practice to use a chain of trust whenever possible.
Keep in mind that the startup check can only confirm that the image was correctly written to the media, so a fake image can also pass this check.
Everyone should care about security. We do have to make judgements about what level of effort is appropriate, but checking that an installer is in good order is not hard, and eliminates one potential cause if a problem is encountered during an installation.
Also remember that you likely never download from a Fedora operated server. You are downloading from a mirror server, which almost anyone can operate and provide Fedora isos.
You are supposed to check every iso every time, no matter what the distro or package is or the server you download it from
That sounds very dangerous on security standpoint that literally anyone can provide these isos for average users which have no idea what mirror or checksum even mean.
I don’t know about average, but I increasingly encounter new users whose previous experience with computers was limited to a smartphone. One of my colleagues felt that installers should start with a pop-quiz to ensure the user had the requisite knowledge.
I do think users would be better off if computer training started with installing the OS on bare hardware.
In practice, a quiz would need to provide a token that can be used to bypass future encounters with the quiz, but then tokens would get passed around or even sold.
It also comes down to common sense as well in check what and where you download anything off the internet.
Well, that’s how the world works, it’s dangerous to be careless or ignorant.
And the danger in general case may not be limited to digital threats.
Well, but mirrors you are redirected to from the Fedora site, that is the list you can find here Home - MirrorManager are not “anyone”. To become an official mirror there is a policy. I mean that security matters, sure, and checking what you download is a good habit, but by downloading Fedora Linux, you are not redirected to a random site that could also be a malicious actor spreading modified ISOs intentionally.