Pale Moon forum

The certificate for archive.palemoon.org is valid only for basilisk-browser.org and adding an exception just results in a 404. Furthermore, I do not see any links to signatures or even checksums.

What certificate? The entire site is http only, and it isn't serving anything confidential that the https everywhere idiocy being promoted has to apply here.

https://archive.palemoon.org/ gives a certificate error rather than a refusing the connection.
Using unsigned source code retrieved over an unencrypted connection is dangerous. This has nothing to do with any https everywhere idiocy.
Please either enable (not require) https or add pgp signatures for the source tarball downloads.

stephonson wrote: ↑

2021-11-17, 03:33

Using unsigned source code retrieved over an unencrypted connection is dangerous.

It's source code. It's not executable. What is dangerous about it?
You think malicious actors interested in serving you malware are going to put up edited versions of our source code for you to build?...

stephonson wrote: ↑

2021-11-17, 03:33

This has nothing to do with any https everywhere idiocy.

Yet you argue exactly the same way that it's "dangerous"...
just because you say so, doesn't make it any less true.
You want https everywhere, including for source code downloads... Which is rather silly.

The fact it doesn't have https as an option for people who are insisting https everywhere is actually a practical security reason: the archive server is on donated space and I do not trust my private key for the wildcard certificate being stored on it. Even if I've never had issues with this particular provider, past experiences with the likes of Frantech have taught me some hard lessons. If someone has a way to provide https in a secure way without the private key being extractable (and without requiring cert passwords to be entered on every reboot) then I'm all ears.

As for the 404 and basilisk certificates, that's entirely expected because the archive server is not serving over https and the server is multi-homing for multiple hosts. Your URL is the wrong protocol.

The only thing HTTPS would do is prevent a third-party from snooping on the connection between you and the download server, it doesn't verify that what's being downloaded is safe. I'm pretty sure you could transmit a virus over HTTPS as well. Are you afraid your ISP or someone else monitoring your connection would know you were downloading Pale Moon source or something? This is a very strange request unless you downloading the source code itself is an activity you fear third-parties knowing about.

As far as signatures, I believe the compression format itself has a checksum built in, so if the file were corrupted, it shouldn't even extract AFAIK. If someone had access to the server to modify the files, they would also be able to change the checksums at the same time, so it wouldn't provide any protection against that.

I'm really starting to see how easy it is for unscrupulous people to provide the trappings of security to appear trustworthy to the average person, without making things any more secure at all... and conversely, how easy it is to make innocent people look bad simply because they don't want to use an HTTPS certificate for whatever reason.

In fairness, the files' signature (made with PGP or whatever) should prevent someone intercepting the connection, rather than accessing the server directly, to serve modified files.
However, if the attacker has control over the data being transfered, then it can also provide signatures for their modified files.
This last case should've been solved by HTTPS, since you can't intercept the data flow without breaking encryption, but with contemporary practices whether or not that is true is up to debate.

Moonchild wrote: ↑

2021-11-17, 08:47

It's source code. It's not executable. What is dangerous about it?

The same thing that's dangerous about retrieving unsigned executables over an unencrypted connection. It's going to be running on my machine either way. I'm not going to read the entire code, whether source code or machine code, first.

Moonchild wrote: ↑

2021-11-17, 08:47

You want https everywhere, including for source code downloads... Which is rather silly.

No I don't. I asked for either https or pgp signatures. You provide pgp signatures for the windows and linux binaries. (And you have an https option for the binary downloads.) But not for the source code!?

Moonchild wrote: ↑

2021-11-17, 08:47

The fact it doesn't have https as an option for people who are insisting https everywhere is actually a practical security reason: the archive server is on donated space and I do not trust my private key for the wildcard certificate being stored on it.

I didn't know that. It's a subdomain of your site so I assumed you operate it.
Now that I know that I'll change my request: please provide pgp signatures for the source tarballs.

You all seem to have so much beef with https everywhere that you just jumped me for it while missing that that's not actually what I asked for.

vannilla wrote: ↑

2021-11-17, 12:00

However, if the attacker has control over the data being transfered, then it can also provide signatures for their modified files.

Only if the attacker has Moonchild's private key. Which would be necessary in either case.

stephonson wrote: ↑

2021-11-17, 16:38

The same thing that's dangerous about retrieving unsigned executables over an unencrypted connection.

Nope. totally different class. You can't execute source code.

Also, https does nothing to protect you from any of the range of attacks on DNS, routing, etc. the only thing it could -potentially- protect against is MitM if you take the time to actually check the certificate details and signatures (do you? every time you download something?)

stephonson wrote: ↑

2021-11-17, 16:38

You all seem to have so much beef with https everywhere that you just jumped me for it while missing that that's not actually what I asked for.

You were asking for https everywhere for everything. See topic title and your initial post. If you actually didn't mean to ask that then you should not have labelled it as such.

Making pgp signatures is a PITA but I'll consider it. Checksums are going to be pointless for security; they are only good for integrity verification (but xz will already alert you if there's a problem with that, I'm sure).

I've enabled optional https on the archive server and the US release mirror for downloads. I simply CBA to pgp-sign the source tarballs because it's completely outside of my normal release engineering workflow.