Menu
▾
▴
Re: [Tuxmath-devel] Help [problem DL'ing tuxmath/tuxtype]
|
From: David B. <dav...@gm...> - 2010-08-19 13:02:25
|
Hi Bill, >> For things like online banking, a valid SSL cert is obviously >> critical, but I've never quite understood why our package downloads >> have to go through https:// rather than plain old http://. > > Well, that would be to prevent man-in-the-middle attacks where > bad guys surrepticiously install keyloggers into the software > being downloaded from the server, and thus own the end-users bank > account password via that route. ;) Yeah, that makes sense, I hadn't quite thought things through. I mostly had in mind the fact that our programs themselves don't do anything security-critical, but they still are code that is executed on the user's machine, so an altered version could still be really bad. As it stands now, users are protected, but only to the extent that they are willing to take my word that the Alioth site with the self-signed cert really is our legitimate download site. Of course, they already have to trust that *we* aren't bad guys - a valid third-party SSL cert doesn't show that the packages themselves are free of malware. Still, I'm getting tired of having to explain this repeatedly to concerned would-be users, and who knows how many folks are simply scared off that we never hear from. Maybe we should take our downloads off of Alioth and put them on SF if the Alioth guys won't address this. David |
