* Török Edwin wrote: > On 05/14/2010 09:42 PM, Nathan Gibbs wrote: >> >> 1. Is moving updates over https a good idea? For the ClamAV update >> infrastructure at large, probably not. > > For the public mirrors no. https has extra overhead (ssl setup),
Thats what I thought, more complicated for you guys. > and the CVD files contain a digital signature already (which is checked by > freshclam) so https won't offer any additional security. > Oh, and redundant, so for the public mirrors, it is bad idea. >> For a local mirror setup, it would be an interesting option. > > Is it just about using port 443 to connect (and still using http protocol) > or actually using the https protocol to transfer the files? > Using the https protocol. I would like the option to use the https protocol with freshclam in a local mirror setup. At our site, the "update server" hosts clamav DBs, snort rules, some conf files, etc. The ability to protect the other data would be a plus. It would add another layer of defense to our setup. However its not workable if Freshclam cannot speak https. Its redundant as far as ClamAV's data integrity goes. However, I think its worth doing as far as "hack value" and interoperability go. I would already be running https on our update server, except 1. I hadn't even thought of it until Eddie Ekwo mentioned it. 2. I'm not sure if freshclam can speak https. I'll gladly put my 2 cents into the bugzilla, but only if its an idea you guys think is worth considering. Thanks -- Sincerely, Nathan Gibbs Systems Administrator Christ Media http://www.cmpublishers.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml