Posts by kaisti

    Code
    1. http://releases.libreelec.tv/LibreELEC-RPi2.arm-8.0.2.img.gz?mirrorlist

    The problem is that the checksum is also provided over http, so that could easily be changes in a man-in-the-middle attack.


    The only way around this that some of it, preferable all, is serviced over https.

    All the download links on the download page downloads – LibreELEC is pointing to http and not https.

    This open up for man-in-the-middle attack.


    So how can I now or check if what I download is genuine LibreELEC software and not some malicious version?

    It down find any PGP signature or any hashes of the software.