Proxecto: | Web |
Componente: | Main |
Categoría: | informe de erro |
Prioridade: | normal |
Asignado: | Sen asignar |
Estado: | active |
Can you add http://jenkins.trisquel.info to the TLS cert?
Having the signature, download file, and md5 all only available via http is concerning.
I know that checksums are used to verify integrity, as in, you what you just downloaded is correct. A man in the middle attack *could* be done if the user skips checking the signature and the md5 file is also altered. Also, if a user isn't paying attention when verifying the GPG signature, they could download malicious versions of Trisquel that is signed by a look-a-like GPG key. Being able to download everything via https or .onion would greatly reduce these risks.
If you can't add all of jenkins.trisquel to the TLS cert, it would still be an improvement to be able to at least obtain md5 checksums and signatures via an https or .onion connection, instead of only http.
Encrypt all the things!
If none of this is an option, it would be great to have a list of mirrors that provide Trisquel content over TLS or onion services. If these mirrors don't exist currently, it might be good to send a request to the current mirrors to add this option.