Please provide HTTPS access to the website

Please provide HTTPS access to the website

Postby OnePostPony » 13.04.2016, 11:55

Downloading software through normal HTTP is a severe security issue. Please provide HTTPS access.
OnePostPony
 
Posts: 3
Joined: 13.04.2016, 11:52

Re: Please provide HTTPS access to the website

Postby boco » 13.04.2016, 19:56

What do you mean exactly? The website, forum and the WSUSOU download could be secured (e. g. by Let's Encrypt cert), I guess. As for getting updates through WSUSOU, the default WGet downloader used does not support HTTPS, yet. The update signatures are checked, however.

Also note that getting something over HTTPS does NOT verify authenticity. HTTPS just ensures that the website your browser shows is the same the server sends, and that nobody in the middle can intercept any data. In other words, getting malware via HTTPS is as possible as getting it via HTTP.
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media creator: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 1780
Joined: 24.11.2009, 17:00
Location: Germany

Re: Please provide HTTPS access to the website

Postby OnePostPony » 14.04.2016, 02:58

I do mean the download of http://download.wsusoffline.net/wsusoffline1061.zip and the hashes at http://download.wsusoffline.net/wsusoff ... hashes.txt should be protected using HTTPS.
Let's encrypt would be an option, yes.
I'm not sure what you mean by it doesn't verify authenticity. :)
Anyway, this would prevent MitM for example in case somebody downloads the program from an insecure coffee shop wireless LAN. With HTTPS he can be sure he actually downloads the file from this website without it you can send him a different file with malware. I agree that it doesn't prevent the owner of this website to send him malware.
OnePostPony
 
Posts: 3
Joined: 13.04.2016, 11:52

Re: Please provide HTTPS access to the website

Postby boco » 14.04.2016, 07:10

I'm not sure what you mean by it doesn't verify authenticity. :)
Many people do believe that downloading via HTTPS ensures you're getting virus-free downloads. I just pointed out that HTTPS only provides end-to-end encryption. If the original file is already bogus (e. g. through a server hack), HTTPS won't help.
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media creator: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 1780
Joined: 24.11.2009, 17:00
Location: Germany

Re: Please provide HTTPS access to the website

Postby OnePostPony » 16.04.2016, 00:21

So, can we get this please? :) Is there an issue tracker somewhere or something? Should be pretty easy to set up actually...
OnePostPony
 
Posts: 3
Joined: 13.04.2016, 11:52

Re: Please provide HTTPS access to the website

Postby telnetuserid » 04.10.2016, 07:00

I think this is more relevant for forum, since it transmits username and password. Using http means that POST request could be sniffed on transmit to steal forum user credentials. Remember those incidents on Ubuntu Forums when they didn't use HTTPS? Remember what happened to Linux Mint when they didn't use HTTPS?

Nevertheless, having https for *.wsusoffline.net is better.
telnetuserid
 
Posts: 12
Joined: 04.10.2016, 06:33

Re: Please provide HTTPS access to the website

Postby hbuhrmester » 04.10.2016, 21:08

OnePostPony wrote:Is there an issue tracker somewhere or something? Should be pretty easy to set up actually...


Actually, Trac can be used as a bug tracker. Then it would look like:
https://trac.videolan.org/vlc/
https://trac.videolan.org/vlc/report/1
hbuhrmester
 
Posts: 219
Joined: 11.10.2013, 20:59

Re: Please provide HTTPS access to the website

Postby telnetuserid » 16.10.2016, 23:42

It also seems that the web server software hosting wsusoffline.net is rather old.

Code: Select all
Server:Apache/2.2.16 (Debian)
Transfer-Encoding:chunked
Vary:Accept-Encoding
X-Powered-By:PHP/5.2.6-1+lenny9


Lenny? It has been long outdated since 2011.

Even current oldstable (wheezy) has Apache/2.2.22 and PHP/5.4.45 and still receiving security updates, although current stable (Jessie) is better supported.

Are you waiting for next stable (Stretch) release to update the server software?

I think it would be wise to update the server software hosting wsusoffline.net so that it's relevant with wsusoffline mission to keep systems up to date.
telnetuserid
 
Posts: 12
Joined: 04.10.2016, 06:33


Return to Anregungen / Suggestions

Who is online

Users browsing this forum: No registered users and 2 guests

cron