Menu

#270 Plaintext downloads expose users of sourceforge to unnecessary risk

implemented
nobody
security (3) exploit (1) surveillance (1) virus (1)
File-Release-System
2017-01-30
2014-06-11
Glyph Lefkowitz
No

Please switch all of your mirrors to use HTTPS. Many binary distributions are hosted on Sourceforge, especially Windows binaries, most of which do not have any in-band authentication. HTTPS is the absolute minimum level of assurance you could provide for file downloads.

As it stands, your download pages actively redirect from HTTPS to HTTP, so even if I carefully type a secure URL I am forced to trust any criminal who has decided to poison my DNS cache with administrator access to all of my Windows machines.

Discussion

  • Cameron Kaiser

    Cameron Kaiser - 2014-10-24

    I think this takes on some additional urgency given that some nodes have been detected on the Tor network actively patching HTTP downloads in flight.

    http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/

     

  • Dave Brondsema

    Dave Brondsema - 2017-01-30
    • status: open --> implemented
     

Log in to post a comment.

MongoDB Logo MongoDB