Offer download over HTTPS
Opened this issue · 4 comments
JLLeitschuh commented
The only way to download the pre-build version of this tool from the website is over HTTP, not over HTTPS. This is fundamentally insecure and leaves you open to having your user's machine compromised by malicious code served to them during a MITM attack.
pegacat commented
Not sure which files you're referring to? The github version is available over https - the older version on sourceforge relies on whatever sourceforge does, but also looks like https?
JLLeitschuh commented
This site's links are all HTTP not HTTPS:
http://jxplorer.org/downloads/users.html
Also, the downloads site itself is only served over HTTP so the contents of that page could be manipulated via a MITM attack.
JLLeitschuh commented
Ping!
pegacat commented
*sigh* - the problem is that the jxplorer site is hosted on a truly ancient
'managed' server and it turns out it can't be hardened in-situ; they say I
have to move the site to a new hosting environment - which is a bunch of
work... the download links are all https, but I take your point about MITM
attacks. The next time I update the site I'll move it I guess... :-/
…-----
*Dr Christopher Betts*
Pegacat Aerospace
Melbourne, Australia
m: 61 408 533 456
On Sat, 4 May 2019 at 08:49, Jonathan Leitschuh ***@***.***> wrote:
Ping!
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#5 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ADBGV4DYQ4DEDKWRWGWXYLLPTS6PFANCNFSM4GR6MVOA>
.