Please enable https for source tarballs

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
stephonson

Please enable https for source tarballs

Unread post by stephonson » 2021-11-17, 00:34

The certificate for archive.palemoon.org is valid only for basilisk-browser.org and adding an exception just results in a 404. Furthermore, I do not see any links to signatures or even checksums.

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 4942
Joined: 2015-12-09, 15:45
Contact:

Re: Please enable https for source tarballs

Unread post by moonbat » 2021-11-17, 03:16

What certificate? The entire site is http only, and it isn't serving anything confidential that the https everywhere idiocy being promoted has to apply here.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

stephonson

Re: Please enable https for source tarballs

Unread post by stephonson » 2021-11-17, 03:33

https://archive.palemoon.org/ gives a certificate error rather than a refusing the connection.
Using unsigned source code retrieved over an unencrypted connection is dangerous. This has nothing to do with any https everywhere idiocy.
Please either enable (not require) https or add pgp signatures for the source tarball downloads.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Please enable https for source tarballs

Unread post by Moonchild » 2021-11-17, 08:47

stephonson wrote:
2021-11-17, 03:33
Using unsigned source code retrieved over an unencrypted connection is dangerous.
It's source code. It's not executable. What is dangerous about it?
You think malicious actors interested in serving you malware are going to put up edited versions of our source code for you to build?... :lol:
stephonson wrote:
2021-11-17, 03:33
This has nothing to do with any https everywhere idiocy.
Yet you argue exactly the same way that it's "dangerous"... :roll:
just because you say so, doesn't make it any less true.
You want https everywhere, including for source code downloads... Which is rather silly.

The fact it doesn't have https as an option for people who are insisting https everywhere is actually a practical security reason: the archive server is on donated space and I do not trust my private key for the wildcard certificate being stored on it. Even if I've never had issues with this particular provider, past experiences with the likes of Frantech have taught me some hard lessons. If someone has a way to provide https in a secure way without the private key being extractable (and without requiring cert passwords to be entered on every reboot) then I'm all ears.

As for the 404 and basilisk certificates, that's entirely expected because the archive server is not serving over https and the server is multi-homing for multiple hosts. Your URL is the wrong protocol.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
athenian200
Contributing developer
Contributing developer
Posts: 1498
Joined: 2018-10-28, 19:56
Location: Georgia

Re: Please enable https for source tarballs

Unread post by athenian200 » 2021-11-17, 11:46

The only thing HTTPS would do is prevent a third-party from snooping on the connection between you and the download server, it doesn't verify that what's being downloaded is safe. I'm pretty sure you could transmit a virus over HTTPS as well. Are you afraid your ISP or someone else monitoring your connection would know you were downloading Pale Moon source or something? This is a very strange request unless you downloading the source code itself is an activity you fear third-parties knowing about.

As far as signatures, I believe the compression format itself has a checksum built in, so if the file were corrupted, it shouldn't even extract AFAIK. If someone had access to the server to modify the files, they would also be able to change the checksums at the same time, so it wouldn't provide any protection against that.

I'm really starting to see how easy it is for unscrupulous people to provide the trappings of security to appear trustworthy to the average person, without making things any more secure at all... and conversely, how easy it is to make innocent people look bad simply because they don't want to use an HTTPS certificate for whatever reason.
"The Athenians, however, represent the unity of these opposites; in them, mind or spirit has emerged from the Theban subjectivity without losing itself in the Spartan objectivity of ethical life. With the Athenians, the rights of the State and of the individual found as perfect a union as was possible at all at the level of the Greek spirit." -- Hegel's philosophy of Mind

vannilla
Moon Magic practitioner
Moon Magic practitioner
Posts: 2183
Joined: 2018-05-05, 13:29

Re: Please enable https for source tarballs

Unread post by vannilla » 2021-11-17, 12:00

In fairness, the files' signature (made with PGP or whatever) should prevent someone intercepting the connection, rather than accessing the server directly, to serve modified files.
However, if the attacker has control over the data being transfered, then it can also provide signatures for their modified files.
This last case should've been solved by HTTPS, since you can't intercept the data flow without breaking encryption, but with contemporary practices whether or not that is true is up to debate.

stephonson

Re: Please enable https for source tarballs

Unread post by stephonson » 2021-11-17, 16:38

Moonchild wrote:
2021-11-17, 08:47
It's source code. It's not executable. What is dangerous about it?
The same thing that's dangerous about retrieving unsigned executables over an unencrypted connection. It's going to be running on my machine either way. I'm not going to read the entire code, whether source code or machine code, first.
Moonchild wrote:
2021-11-17, 08:47
You want https everywhere, including for source code downloads... Which is rather silly.
No I don't. I asked for either https or pgp signatures. You provide pgp signatures for the windows and linux binaries. (And you have an https option for the binary downloads.) But not for the source code!?
Moonchild wrote:
2021-11-17, 08:47
The fact it doesn't have https as an option for people who are insisting https everywhere is actually a practical security reason: the archive server is on donated space and I do not trust my private key for the wildcard certificate being stored on it.
I didn't know that. It's a subdomain of your site so I assumed you operate it.
Now that I know that I'll change my request: please provide pgp signatures for the source tarballs.

You all seem to have so much beef with https everywhere that you just jumped me for it while missing that that's not actually what I asked for.

vannilla wrote:
2021-11-17, 12:00
However, if the attacker has control over the data being transfered, then it can also provide signatures for their modified files.
Only if the attacker has Moonchild's private key. Which would be necessary in either case.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Please enable https for source tarballs

Unread post by Moonchild » 2021-11-17, 20:34

stephonson wrote:
2021-11-17, 16:38
The same thing that's dangerous about retrieving unsigned executables over an unencrypted connection.
Nope. totally different class. You can't execute source code.

Also, https does nothing to protect you from any of the range of attacks on DNS, routing, etc. the only thing it could -potentially- protect against is MitM if you take the time to actually check the certificate details and signatures (do you? every time you download something?)
stephonson wrote:
2021-11-17, 16:38
You all seem to have so much beef with https everywhere that you just jumped me for it while missing that that's not actually what I asked for.
You were asking for https everywhere for everything. See topic title and your initial post. If you actually didn't mean to ask that then you should not have labelled it as such.

Making pgp signatures is a PITA but I'll consider it. Checksums are going to be pointless for security; they are only good for integrity verification (but xz will already alert you if there's a problem with that, I'm sure).
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Please enable https for source tarballs

Unread post by Moonchild » 2021-11-22, 08:47

I've enabled optional https on the archive server and the US release mirror for downloads. I simply CBA to pgp-sign the source tarballs because it's completely outside of my normal release engineering workflow.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked