Does this change things for HTTP downloads?

About this bulletin board and the Pale Moon website

Moderators: Lootyhoof, FranklinDM

BenFenner
Astronaut
Astronaut
Posts: 615
Joined: 2015-06-01, 12:52
Location: US Southeast

Does this change things for HTTP downloads?

Unread post by BenFenner » 2024-08-06, 19:16

I know there has been discussion of Pale Moon downloads performed over HTTP (versus HTTPS) in the past. I searched a bit but could not find the discussions to link, sorry.

I think I checked correctly just now and found the downloads still happen over HTTP.

I've not been one of the ones pushing for HTTPS (although I do see how it might be helpful for those in countries were just downloading certain software might get you in hot water) so no need to read into this.

I'm curious; does the recent ISP compromise tip the scales any in either direction? Read below:

https://it.slashdot.org/story/24/08/06/ ... hacked-isp

User avatar
Pentium4User
Board Warrior
Board Warrior
Posts: 1252
Joined: 2019-04-24, 09:38
Contact:

Re: Does this change things for HTTP downloads?

Unread post by Pentium4User » 2024-08-06, 19:38

If you download something via HTTP, there is no verification by default.
You would need to get a pubkey from the vendor on a secure way to verify the file.
With TLS this is now delegated to the CAs. They are not all trustworthy and security problems still exists (e.g. issuing certificates without verifying identity etc., hacked CA etc.), but it is much, much better than simple HTTP.
The profile picture shows my Maico EC30 E ceiling fan.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 36453
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Does this change things for HTTP downloads?

Unread post by Moonchild » 2024-08-06, 20:46

BenFenner wrote:
2024-08-06, 19:16
I think I checked correctly just now and found the downloads still happen over HTTP.
Only if you loaded the website over http. If you visit the site over https, then downloads will also be https. So, it's your choice how to download.
As for integrity, we publish hashes and pgp sigs.
"A programmer is someone who solves a problem you didn't know you had, in a way you don't understand." -- unknown
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 5288
Joined: 2015-12-09, 15:45
Contact:

Re: Does this change things for HTTP downloads?

Unread post by moonbat » 2024-08-06, 22:41

Moonchild wrote:
2024-08-06, 20:46
As for integrity, we publish hashes and pgp sigs.
I have to ask, how overstated is the supposed risk of using HTTP for public websites that require no logins and store no user-data? Especially given you're providing hashes. Could someone MITM an HTTP site and provide hashes to the replaced files?
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
RealityRipple
Keeps coming back
Keeps coming back
Posts: 755
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Re: Does this change things for HTTP downloads?

Unread post by RealityRipple » 2024-08-06, 23:25

moonbat wrote:
2024-08-06, 22:41
Could someone MITM an HTTP site and provide hashes to the replaced files?
Sure for the hashes, but not the PGP signatures. Hashes verify file integrity between "a" server and "a" client, no more.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 36453
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Does this change things for HTTP downloads?

Unread post by Moonchild » 2024-08-07, 09:17

moonbat wrote:
2024-08-06, 22:41
how overstated is the supposed risk of using HTTP for public websites that require no logins and store no user-data?
It's considerably over-stated. While it's certainly possible to MITM an HTTP site on a file-by-file basis, it's extremely impractical to do so (unless you want to really spearfish particular users of particular sites individually and want to expend that effort for the attack). If you can successfully MITM these users, it'll be much easier to attack their traffic in different ways than to intercept and rewrite individual HTTP responses.
moonbat wrote:
2024-08-06, 22:41
Could someone MITM an HTTP site and provide hashes to the replaced files?
Technically, yes, but then you have an even more complicated thing to set up as you'd have to replicate the entire website with changed hashes (as opposed to the "simple" replacement of downloads in-flight or what not). As said pgp signatures can't be spoofed this way, neither can code-signing.
"A programmer is someone who solves a problem you didn't know you had, in a way you don't understand." -- unknown
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Post Reply