Hi, Thanks for noticing and reporting this :)
On 1/31/21 7:19 AM, Paul Wise wrote:
I noticed that the data feed is not downloaded using https, so network attackers could modify the data feed to change my choice of downloads to something I didn't want to download.
I'm going to cherry-pick the upstream fix for this and upload it shortly so it'll be in bullseye.
Also most of the datasets point at http instead of https URLs even though the servers do support https. It would be good if kiwix had a list of download servers that support https and then always use https to contact those download servers.
The catalog is used by other devices, and apparently some older Android devices didn't have the correct certs for Let's Encrypt? I'll continue following up with upstream on this, but I'm going to mark this bug as closed by the first change since this latter part shouldn't require any fixes/adjustments to the Kiwix code once the catalog is updated.
-- Kunal
