Page 1 of 1

Does this change things for HTTP downloads?

Posted: 2024-08-06, 19:16
by BenFenner
I know there has been discussion of Pale Moon downloads performed over HTTP (versus HTTPS) in the past. I searched a bit but could not find the discussions to link, sorry.

I think I checked correctly just now and found the downloads still happen over HTTP.

I've not been one of the ones pushing for HTTPS (although I do see how it might be helpful for those in countries were just downloading certain software might get you in hot water) so no need to read into this.

I'm curious; does the recent ISP compromise tip the scales any in either direction? Read below:

https://it.slashdot.org/story/24/08/06/ ... hacked-isp

Re: Does this change things for HTTP downloads?

Posted: 2024-08-06, 19:38
by Pentium4User
If you download something via HTTP, there is no verification by default.
You would need to get a pubkey from the vendor on a secure way to verify the file.
With TLS this is now delegated to the CAs. They are not all trustworthy and security problems still exists (e.g. issuing certificates without verifying identity etc., hacked CA etc.), but it is much, much better than simple HTTP.

Re: Does this change things for HTTP downloads?

Posted: 2024-08-06, 20:46
by Moonchild
BenFenner wrote:
2024-08-06, 19:16
I think I checked correctly just now and found the downloads still happen over HTTP.
Only if you loaded the website over http. If you visit the site over https, then downloads will also be https. So, it's your choice how to download.
As for integrity, we publish hashes and pgp sigs.

Re: Does this change things for HTTP downloads?

Posted: 2024-08-06, 22:41
by moonbat
Moonchild wrote:
2024-08-06, 20:46
As for integrity, we publish hashes and pgp sigs.
I have to ask, how overstated is the supposed risk of using HTTP for public websites that require no logins and store no user-data? Especially given you're providing hashes. Could someone MITM an HTTP site and provide hashes to the replaced files?

Re: Does this change things for HTTP downloads?

Posted: 2024-08-06, 23:25
by RealityRipple
moonbat wrote:
2024-08-06, 22:41
Could someone MITM an HTTP site and provide hashes to the replaced files?
Sure for the hashes, but not the PGP signatures. Hashes verify file integrity between "a" server and "a" client, no more.

Re: Does this change things for HTTP downloads?

Posted: 2024-08-07, 09:17
by Moonchild
moonbat wrote:
2024-08-06, 22:41
how overstated is the supposed risk of using HTTP for public websites that require no logins and store no user-data?
It's considerably over-stated. While it's certainly possible to MITM an HTTP site on a file-by-file basis, it's extremely impractical to do so (unless you want to really spearfish particular users of particular sites individually and want to expend that effort for the attack). If you can successfully MITM these users, it'll be much easier to attack their traffic in different ways than to intercept and rewrite individual HTTP responses.
moonbat wrote:
2024-08-06, 22:41
Could someone MITM an HTTP site and provide hashes to the replaced files?
Technically, yes, but then you have an even more complicated thing to set up as you'd have to replicate the entire website with changed hashes (as opposed to the "simple" replacement of downloads in-flight or what not). As said pgp signatures can't be spoofed this way, neither can code-signing.