Should default to https for Confluence download URL

Question

Should default to https for Confluence download URL

Closed this issue 5 years ago · 4 comments

As it's pulling down executable code, the use of http (unauthenticated server) for downloading Confluence tgz is insecure and open to MITM abuse. This is a bigger issue too because puppet's extracts etc are often running as a privileged user and there's no checksum/integrity verification available on the downloads (i.e. sha256sum's aren't published).

Recommend changing default:
downloadURL => 'http://www.atlassian.com/software/confluence/downloads/binary/'
to
downloadURL => 'https://www.atlassian.com/software/confluence/downloads/binary/'

I understand http might occasionally be preferable to achieve web proxy cache hits for download performance. I've commented on https://jira.atlassian.com/browse/CONF-25687 and voted for getting sha256sum's published (over https), so http downloads might become an option again in future.

juniorsysadmin commented 5 years ago

#101

Answer 1 · 2016-08-03T10:02:45.000Z

👍 would you like to submit this as pr?

Answer 2 · 2018-10-10T17:26:39.000Z

this appears to have been resolved already

Answer 3 · 2019-08-01T20:37:01.000Z

I confirm the URL is set to :

$download_url = 'https://www.atlassian.com/software/confluence/downloads/binary',

It would be good to close this issue in order to know what works this module still need.