No HTTPS site for download

[WellBehavedDemon]

There's a chance that the TinyCoreLinux project is under attack. Home routers are known to be vulnerable garbage and, when I try to download TinyCoreLinux, either the connection to "tinycorelinux.net" fails or the response is that "there is no HTTPS support" (see the image below). But this is nonsense! I can access "forum.tinycorelinux.net" without issue so why should "tinycorelinux.net" have issues? I think that the home router that I'm using (garbage provided by a garbage ISP) detects a connection to "tinycorelinux.net" and denies it or forces an HTTP connection so that  a man-in-the-middle attack where I'll end up downloading a fake ISO image happens.



Where can I find the hashes for the TinyCoreLinux CD images? I need this to make sure that I'm not downloading a version with vulnerabilities.

[Juanito]

What happens if you load the wget and ca-certificates extensions and try something like “wget repo.tinycorelinux.net/17.x/x86/tcz/flwm.tcz.md5.txt”?

[gadget42]

one previous thread regarding the http download webpages:

https://forum.tinycorelinux.net/index.php?topic=26893.0

[WellBehavedDemon]

What happens if you load the wget and ca-certificates extensions and try something like “wget repo.tinycorelinux.net/17.x/x86/tcz/flwm.tcz.md5.txt”?

See the screenshots above. That is what happens. If I try to connect to it through HTTPS, the connection will be refused. This is odd because forum.tinycorelinux.net works without issue, but the domains where the integrity hashes and downloads are available are not served through HTTPS.

[Paul_123]

The only part of the site running https is forum.tinycorelinux.net and wiki.tinycorelinux.net.

Everything else is hosted from the repo server that is http only.  Which would include URLs like tinycorelinux.net and repo.tinycorelinux.net

[mocore]

Where can I find the hashes ...

perhaps see also

"package distribution by bittorrent" @ https://forum.tinycorelinux.net/index.php?topic=13373.msg167841#msg167841

on a bit of a tangent from tc distro iso
..but still perhaps of interest wrt https

"how to apps mirror support https?" @ https://forum.tinycorelinux.net/index.php?topic=27730.msg181090#msg181090

the wiki page about mirrors mentions archive . org has copy's of iso
https://wiki.tinycorelinux.net/doku.php?id=wiki:mirrors&s[]=mirror

and afair they offer both  # and torrent download option ...

also ftr fwiw/ last time i checked some mirrors
do support https and other protocols..

[mocore]

(see the image below)

do i *really* want that in "my" gpu mem pipeline?
sounds like another "bad" vector

  see also tompson ,  godel 

There's a chance that $N is under attack.

those who pre-configure
everyone's browser defaults (to https)
seam like a more likely cause
but dont take my word for it
ask the "built-in" / updated  "ML" that they included in latest auto-update to most 'commercially sponsored browsers'
... though im shore the TOS will say that it's only for the sake of entertainment
eg: https://hackaday.com/2026/04/01/ask-hackaday-using-copilot-are-you-entertained/
of course!