Downloading safely

The attack: a site that looks like the one you want, but isn't (eg bank site).

The solution: Your browser should protect from "spoof" sites. Make sure a lock symbol shows up somewhere when you need to be sure what site it is.

The following text is from http://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified. Note that this also provides privacy for the connection:

1.	Your web browser downloads the web server's certificate, which contains 
    the public key of the web server. This certificate is signed with the private key 
    of a trusted certificate authority.
2.	Your web browser comes installed with the public keys of all of the major certificate 
    authorities. It uses this public key to verify that the web server's certificate was 
    indeed signed by the trusted certificate authority.
3.	The certificate contains the domain name and/or ip address of the web server. 
    Your web browser confirms that the address listed in the certificate is the one 
    to which it has an open connection.
4.	Your web browser generates a shared symmetric key which will be used to encrypt 
    the HTTP traffic on this connection; this is much more efficient than using 
    public/private key encryption for everything. Your browser encrypts the symmetric key 
    with the public key of the web server then sends it back, thus ensuring that 
    only the web server can decrypt it, since only the web server has its private key.

See also http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html for a demo of the messages exchanged for a secure connection (we will come back to this AFTER wireshark demo).

The attack: getting you to download software that contains a trojan horse (or other virus).
The solution: If you know you're downloading from a trusted site, not to worry; however, if you don't see the lock symbol, then you don't know who you're downloading from.

Another solution: posted checksums. The originator computes a checksum on the file to be distributed and posts it. You can compute the same checksum after downloading -- they should of course match. If the file is changed, the checksum will change with very high probability, and so you'll be warned.

An example: http://www.debian.org/CD/verify.en.html

 The way we usually work:
 1.  dmg's can include authentication but I don't think they're guaranteed to be authenticated.
 2. msi can also, I think, but I don't see a discussion of it in Wikipedia
 3. apt-get is definitely protected

See http://en.wikipedia.org/wiki/Apple_Disk_Image#UDIF_data_format for a description of DMG files. They also describe MSI files in wikipedia, but don't mention authentication.

Please send or post questions about installs (you can use the Issues button to the right).