oss-sec mailing list archives
Re: HTTPS
From: gremlin () gremlin ru
Date: Fri, 16 Aug 2013 14:58:34 +0400
On 15-Aug-2013 13:34:57 +0000, Jeremy Stanley wrote:
Unlike SSH, the HTTPS clients (which usually are the browsers) do not cache the visited servers' certificates, fully relying on issuing CA's honesty. This introduces a risk of false sence of security. Hmmmm... It seems that keeping self-signed certificates is even more safe than relying on "trusted" CAs...
Dragging this back onto the original topic, hopefully, the above concerns are far less relevant for a tool focused on downloading packages from a single site. The gem utility could absolutely pin its validation expectations to a single signing authority or even to a single server certificate (and make it a configurable list to support private package repositories and mirrors where desired). The transport security implications for a system with basically one distribution endpoint offer significantly different solutions than a many-to-many association like Web browsing.
Yes - that's exactly the point why I started this subthread: signing files is much more important than forcing people to connect via HTTPS. -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8
Current thread:
- Re: HTTPS (was: rubygems insecure download (and other problems)), (continued)
- Re: HTTPS (was: rubygems insecure download (and other problems)) Pavel Labushev (Aug 16)
- Message not available
- Re: HTTPS Kurt Seifried (Aug 21)
- Re: HTTPS Pavel Labushev (Aug 22)
- Re: HTTPS Kurt Seifried (Aug 15)
- Re: HTTPS gremlin (Aug 15)
- Re: HTTPS Jeremy Stanley (Aug 15)
- Re: HTTPS gremlin (Aug 16)
- Re: HTTPS Kurt Seifried (Aug 15)