I know there has been discussion of Pale Moon downloads performed over HTTP (versus HTTPS) in the past. I searched a bit but could not find the discussions to link, sorry.
I think I checked correctly just now and found the downloads still happen over HTTP.
I've not been one of the ones pushing for HTTPS (although I do see how it might be helpful for those in countries were just downloading certain software might get you in hot water) so no need to read into this.
I'm curious; does the recent ISP compromise tip the scales any in either direction? Read below:
https://it.slashdot.org/story/24/08/06/ ... hacked-isp
Does this change things for HTTP downloads?
Moderators: FranklinDM, Lootyhoof
- Pentium4User
- Board Warrior
- Posts: 1256
- Joined: 2019-04-24, 09:38
- Contact:
Re: Does this change things for HTTP downloads?
If you download something via HTTP, there is no verification by default.
You would need to get a pubkey from the vendor on a secure way to verify the file.
With TLS this is now delegated to the CAs. They are not all trustworthy and security problems still exists (e.g. issuing certificates without verifying identity etc., hacked CA etc.), but it is much, much better than simple HTTP.
You would need to get a pubkey from the vendor on a secure way to verify the file.
With TLS this is now delegated to the CAs. They are not all trustworthy and security problems still exists (e.g. issuing certificates without verifying identity etc., hacked CA etc.), but it is much, much better than simple HTTP.
The profile picture shows my Maico EC30 E ceiling fan.
Re: Does this change things for HTTP downloads?
Only if you loaded the website over http. If you visit the site over https, then downloads will also be https. So, it's your choice how to download.
As for integrity, we publish hashes and pgp sigs.
"A programmer is someone who solves a problem you didn't know you had, in a way you don't understand." -- unknown
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Does this change things for HTTP downloads?
I have to ask, how overstated is the supposed risk of using HTTP for public websites that require no logins and store no user-data? Especially given you're providing hashes. Could someone MITM an HTTP site and provide hashes to the replaced files?
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
- RealityRipple
- Keeps coming back
- Posts: 760
- Joined: 2018-05-17, 02:34
- Location: Los Berros Canyon, California
- Contact:
Re: Does this change things for HTTP downloads?
Sure for the hashes, but not the PGP signatures. Hashes verify file integrity between "a" server and "a" client, no more.
Re: Does this change things for HTTP downloads?
It's considerably over-stated. While it's certainly possible to MITM an HTTP site on a file-by-file basis, it's extremely impractical to do so (unless you want to really spearfish particular users of particular sites individually and want to expend that effort for the attack). If you can successfully MITM these users, it'll be much easier to attack their traffic in different ways than to intercept and rewrite individual HTTP responses.
Technically, yes, but then you have an even more complicated thing to set up as you'd have to replicate the entire website with changed hashes (as opposed to the "simple" replacement of downloads in-flight or what not). As said pgp signatures can't be spoofed this way, neither can code-signing.
"A programmer is someone who solves a problem you didn't know you had, in a way you don't understand." -- unknown
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite