Page 1 of 1

Please provide HTTPS access to the website

PostPosted: 13.04.2016, 11:55
by OnePostPony
Downloading software through normal HTTP is a severe security issue. Please provide HTTPS access.

Re: Please provide HTTPS access to the website

PostPosted: 13.04.2016, 19:56
by boco
What do you mean exactly? The website, forum and the WSUSOU download could be secured (e. g. by Let's Encrypt cert), I guess. As for getting updates through WSUSOU, the default WGet downloader used does not support HTTPS, yet. The update signatures are checked, however.

Also note that getting something over HTTPS does NOT verify authenticity. HTTPS just ensures that the website your browser shows is the same the server sends, and that nobody in the middle can intercept any data. In other words, getting malware via HTTPS is as possible as getting it via HTTP.

Re: Please provide HTTPS access to the website

PostPosted: 14.04.2016, 02:58
by OnePostPony
I do mean the download of http://download.wsusoffline.net/wsusoffline1061.zip and the hashes at http://download.wsusoffline.net/wsusoff ... hashes.txt should be protected using HTTPS.
Let's encrypt would be an option, yes.
I'm not sure what you mean by it doesn't verify authenticity. :)
Anyway, this would prevent MitM for example in case somebody downloads the program from an insecure coffee shop wireless LAN. With HTTPS he can be sure he actually downloads the file from this website without it you can send him a different file with malware. I agree that it doesn't prevent the owner of this website to send him malware.

Re: Please provide HTTPS access to the website

PostPosted: 14.04.2016, 07:10
by boco
I'm not sure what you mean by it doesn't verify authenticity. :)
Many people do believe that downloading via HTTPS ensures you're getting virus-free downloads. I just pointed out that HTTPS only provides end-to-end encryption. If the original file is already bogus (e. g. through a server hack), HTTPS won't help.

Re: Please provide HTTPS access to the website

PostPosted: 16.04.2016, 00:21
by OnePostPony
So, can we get this please? :) Is there an issue tracker somewhere or something? Should be pretty easy to set up actually...

Re: Please provide HTTPS access to the website

PostPosted: 04.10.2016, 07:00
by telnetuserid
I think this is more relevant for forum, since it transmits username and password. Using http means that POST request could be sniffed on transmit to steal forum user credentials. Remember those incidents on Ubuntu Forums when they didn't use HTTPS? Remember what happened to Linux Mint when they didn't use HTTPS?

Nevertheless, having https for *.wsusoffline.net is better.

Re: Please provide HTTPS access to the website

PostPosted: 04.10.2016, 21:08
by hbuhrmester
OnePostPony wrote:Is there an issue tracker somewhere or something? Should be pretty easy to set up actually...


Actually, Trac can be used as a bug tracker. Then it would look like:
https://trac.videolan.org/vlc/
https://trac.videolan.org/vlc/report/1

Re: Please provide HTTPS access to the website

PostPosted: 16.10.2016, 23:42
by telnetuserid
It also seems that the web server software hosting wsusoffline.net is rather old.

Code: Select all
Server:Apache/2.2.16 (Debian)
Transfer-Encoding:chunked
Vary:Accept-Encoding
X-Powered-By:PHP/5.2.6-1+lenny9


Lenny? It has been long outdated since 2011.

Even current oldstable (wheezy) has Apache/2.2.22 and PHP/5.4.45 and still receiving security updates, although current stable (Jessie) is better supported.

Are you waiting for next stable (Stretch) release to update the server software?

I think it would be wise to update the server software hosting wsusoffline.net so that it's relevant with wsusoffline mission to keep systems up to date.