Downloads over HTTP? #627
Comments
|
Good point.
It would not be to hard to put together a PR for this. |
Agreed, see #628. I don't want to treat the symptom only though - where do these links come from? Are they generated automatically? Can I fix the source too? |
they come from https://github.com/scala/make-release-notes; a PR on this in that repo would be very welcome a PR addressing scala/make-release-notes#35 would also be very welcome; that would address the root cause of it not being obvious where the files come from |
Since no redirect or HSTS is in place, these downloads are vulnerable to being MitM'd. This commit changes all future links to use "HTTPS" in the protocol part instead of "HTTP". Related: scala/scala-lang#627
Since no redirect or HSTS is in place, these downloads are vulnerable to being MitM'd. This commit changes all future links to use "HTTPS" in the protocol part instead of "HTTP". Related: scala/scala-lang#627
|
Does this script need to be updated, too? https://github.com/scala/scala-dist/blob/2.12.x/scripts/jobs/release/website/archives It's not clear to me what it does, exactly, but it has a lightbend URL, as well. |
That would be nice. It's only using that URL to retrieve things, but it might as well use the more secure form. As for the purpose of that section of the script, I don't recall having dealt with it before, but it takes the artifacts available at downloads.lightbend.com and also makes them available at http://www.scala-lang.org/files/archive/. (Digression: I'm not sure if that's just, like, a backup in case an asteroid hits Lightbend, or what? In the past, download pages like this one used the scala-lang URLs instead of the typesafe/lightbend URLs. Maybe lightbend.com has better connectivity or cheaper bandwidth or something.) |
Come to think of it, maybe it's more than nice, maybe it's really a good idea. Even if the scala-lang.org download URLs aren't usually used, this would still be a really bad place to fall prey to MITM and end up with compromised binaries on an official server. |
This is to prevent an MitM possible by downloading the releases in plain text (using HTTP). Per scala/scala-lang#627 this script appears to make artifacts available on scala-lang.org and so any form of attack here could be problematic.
Since no redirect or HSTS is in place, these downloads are vulnerable to being MitM'd. This commit changes all future links to use "HTTPS" in the protocol part instead of "HTTP". Related: scala/scala-lang#627
This is to prevent an MitM possible by downloading the releases in plain text (using HTTP). Per scala/scala-lang#627 this script appears to make artifacts available on scala-lang.org and so any form of attack here could be problematic.
|
Thanks all for your input on this. I think the only thing I haven't addressed here is:
I'll see if I can wrap my head around what's going on with the comment issue - if I can get it to work I'll open another PR. |
Currently scala-lang.org links this URL:
http://downloads.lightbend.com/scala/2.12.1/scala-2.12.1.tgzSaid URL does not redirect to the HTTPS'd URL.
But,
downloads.lightbend.comsupports HTTPS. Why are the download links given using HTTP?Related: #463
The text was updated successfully, but these errors were encountered: