OpenBSD is a fucking joke!

Today OpenBSD 5.4 has been released ^[1], also known as ``the most secure operating system ever'', or at least that's what the NSA wants you to think!
Did you ever tried to install OBSD? no? well, it's pretty simple: you first go to http://openbsd.org (sorry, no TLS) and click on "Getting releases", then choose some mirror from the list of http, ftp or CVS servers, and now if you want to check the integrity of your download look the SHA256 file that you got from the same place..... wait, what?..
Yup, that is, enterprise security technique! who needs any DSA/RSA signed hash when you can trust: your LAN, your ISP, the tier1 route til the mirror, the mirror itself, and the fUCKING WHOLE INTERNET.

This is fucking ridiculous, do not trust what the media says, OpenBSD is a fucking joke!

__________________

[1] - http://www.openbsd.org/54.html

and now if you want to check the integrity of your download look the SHA256 file that you got from the same place

http://mirrors.nycbug.org/pub/OpenBSD/5.4/amd64/
http://mirrors.nycbug.org/pub/OpenBSD/5.4/amd64/SHA256
Like this?

You could connect to the CVS repo using SSH, but if you already have the SHA256 checksum and the original file, why download it through HTTPS when you can compare the checksums?

>>1
Then do a favor, and pay for OBSD's CA, if we can trust it, or proposition that you maintain the self signed CA's of all the mirrors.

*Because every client has TLS and SSL support, you know⸮ And it's not like a SHA256 checksum on all mirrors are not the same, and PGP is not included on the checksum list⸮ Too bad every has a HTTP, FTP, and CVS client in their handy OS⸮

But does openbsd.org have a tor domain/gateway?

Plus, for a reason, OpenBSD is hosted in Canada, not USA, so that it does not go against the Arms Trade Treaties. Imagine if it was hosted in the USA! Why would we warn against download of USA mirrors‽

>>2
for two reasons:
-if someone is MITMing is trivial for [i]them[/i] to modify your download on the fly (using Subterfuge, Scapy, etc.) and rehash those files (ie a new SHA256 file with new checksums that matches the backdoored system)
-the owner of the mirror (or someone who compromised the server) could give you a modified version as well, the only problem then is that you can check easily the checksums in other mirrors...

The whole idea of using digital signatures is to avoid all these problems: with signed packages you know exactly who is giving you the binaries/sources and that those file were not been modified.

>>3
Of course a CA would not offer the final solution here (btw CAcert.org is free) but then someone could sign the cert, and publish the SHA256 file of every release inside the OBSD website (so they dont have to sign *EVERY* release).

and PGP is not included on the checksum list

sorry, do you mean that there is a pgp signed checksum list? where?
It's funny because they only provide SSH fingerprints for the CVS mirrors, but not for the "official" CVS server in Canada.

And what happened with all the IPSEC backdoor drama? it's not completely related with the original post but after Snowdens latest allegations what de Raadt was claiming (about the US govt pushing a buggy code) looks much more real, so I would be surprised that all these weakly design for obtaining OBSD is being enforced by the NSA.
</paranoid>

http://www.openbsd.org/faq/faq3.html#Verify

Wow. Such a great project ruined by idiotic management decisions.