Project

General

Profile

Task #1987

Please use HTTPS for downloads to protect users

Added by Tom Delmas over 1 year ago. Updated 27 days ago.

Status:
In Progress
Priority:
Normal
Category:
Mirrors
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Tags:
URL:

Description

The link on the secure page
https://www.libreoffice.org/download/libreoffice-fresh/ for "Download Version 5.1.4"
launch download from the insecure HTTP link
http://ftp.free.fr/mirrors/documentfoundation.org/libreoffice/stable/5.1.4/win/x86/LibreOffice_5.1.4_Win_x86.msi
A Man in the Middle could replace the legitimate file by an infected one.
It's not realistic to except the user to check manually the checksum of the file.

I see at least two ways to correct that behavior:
Using only https mirrors is one solution. Another one could be a small downloader, downloaded from the https official website, that download from mirrors/torrent and check the checksum before install.

History of that problem: https://bugs.documentfoundation.org/show_bug.cgi?id=100824


Related issues

Related to Infrastructure - Task #2312: Avoid serving web content over http:// when possibleNew

History

#1 Updated by Samuel Mehrbrodt 11 months ago

  • Subject changed from Please use HTTPS for dowloads to protect users to Please use HTTPS for downloads to protect users

#2 Updated by Guilhem Moulin 27 days ago

  • Related to Task #2312: Avoid serving web content over http:// when possible added

#3 Updated by Guilhem Moulin 27 days ago

  • Assignee set to Guilhem Moulin

#4 Updated by Guilhem Moulin 27 days ago

  • Category set to Mirrors

This was brought up at today's infra call: https://listarchives.libreoffice.org/global/website/msg14937.html

Adding a redirect http://download.documentfoundation.org to https://download.documentfoundation.org doesn't really help as long as we have http://-only mirrors, since users could be further redirected to an http:// mirror. Moreover it could be harmful if browsers decide to block such downgrade redirects.

Currently mirrorbrain can't redirect to https:// mirrors when it's accessible via https://, cf. https://github.com/poeml/mirrorbrain/issues/143 . However we can reach out to mirror operators and ask them to support https:// (need to patch `/usr/share/pyshared/mb/util.py` though, cf. https://github.com/poeml/mirrorbrain/issues/167), for instance by giving a link to the Let's Encrypt tutorials.

We currently have 113 enabled HTTP mirrors, of which 6 have an https:// baseURL. However the following scan shows that one third (34) of the http:// baseURLs can already be upgraded to https://.

echo "SELECT baseurl, admin_email FROM server WHERE enabled = 't' AND baseurl LIKE 'http://%'" \
| sudo -u postgres psql -tAF' ' mirrorbrain \
| while read baseurl email; do curl -m5 -fso/dev/null "https://${baseurl#http://}" && echo "$baseurl $email"; done

(Interestingly, https://tdf.ip-connect.vn.ua works on v6 but not on v4…) I just reached out to these 34 operators (modulo two bounces) and asked them if we could upgrade their baseurl to https:// in our database. Once we have enough https://-capable mirrors, the plan is to disable the few remaining http://-only ones.

#5 Updated by Guilhem Moulin 27 days ago

  • Status changed from New to In Progress

Also available in: Atom PDF