Ubuntu cdimages site is not using SSL

thephatle · May 30, 2025, 6:31am

it seems cdimages.ubuntu.com dosent have SSL at all. Couldnt find where to report Website issues so posted here

g-schick · May 30, 2025, 6:41am

Just prepend https:// to the address and you get a secured connection.

Do you remember from which site you followed the link? I think it should be reported there.

thephatle · May 30, 2025, 6:45am

i just typed the address so i guess force HTTPS is not activated so it allows HTTP too that is just small stuff on server side to enable always redirect to HTTPS and always use HTTPS
when typing the address without HTTP or HTTPS it defaults to non secure HTTP

g-schick · May 30, 2025, 7:12am

All links I checked to ‘images.ubuntu.com’ on ubuntu.com seem to use ‘https’. If you want to report this you can use the link ‘Report a bug on this site’ (at the bottom of the page) from for example Get Ubuntu.

These links contain the reporting page at the end (for example https://github.com/canonical/ubuntu.com/issues/new?template=ISSUE_TEMPLATE.yaml&reported_from=https://ubuntu.com/download).

I don’t know if this makes sense or is necessary at all but to not confuse anybody you could alter this address to contain the ‘bugged’ address.
https://github.com/canonical/ubuntu.com/issues/new?template=ISSUE_TEMPLATE.yaml&reported_from=http://cdimages.ubuntu.com

prcowley · May 30, 2025, 8:16am

I just tried the link to cdimages.ubuntu.com and it went to the http address and not the HTTPS so there is definitely a minor problem at that website.

Cheer
Pete

g-schick · May 30, 2025, 9:09am

Not necessarily. It may also be intended to not block unencrypted access to sub domain ‘cdimages’, for what reason whatsoever - I do not know.

@thephatle Are you going to report this? Or did you already report it?

thephatle · May 30, 2025, 9:48am

Will make report today when i hwve some more time on my hand

zebra3 · May 30, 2025, 12:03pm

The only contact I have with those ISO’s is with zsync and there is always a sha256 checksum at the end of the download. this has been true for more than a decade. I don’t get the problem if the download is using zsync. Note: zsync won’t work with https:

ogra · May 30, 2025, 12:04pm

The images all have a checksum file sitting next to them and a GPG signature for that checksum that is signed by the Ubuntu archive key, given you should always verify the GPG signature and checksum for an image, SSL doesn’t really add any additional security here but only complexity in the end

g-schick · May 30, 2025, 12:31pm

That’s one very good reason for not blocking unencrypted access.

thephatle · May 30, 2025, 3:38pm

i tested this on other machines i have and others take default on HTTPS and then i checked the browser settings and all those has use HTTPS mode always. After that i check my firefox browser and it has HTTPS mode disabled (snap) turning this off all is good so it is working as should now