On Tue, Sep 25, 2018 at 1:04 PM Antonio <[email protected]> wrote: > Hi Kenneth, > > I don't think there's any security related problem here. The Apache > Mirror System, for instance, uses "http" frequently. IMHO there's no > need to encrypt files that are publicly available for everyone to see.
Nonsense. There is nothing stopping a man in the middle attack from causing you to download malicious bits masquerading as a module or injected into a legitimate one. The plugins site could sign modules, but since it aggregates modules from elsewhere, that wouldn't mean much. And if the signature is not tied to the download host, all it means is "someone signed it" - a proxy that injects code and signs the result would be trivial. If it were tied to the download host, module aggregators would be impossible. HTTPS is not just for protecting sensitive information. It is also for verifying that you're talking to the server you think you are. There is no excuse in today's world for not using HTTPS for everything. And before someone says "but you can have the SHA-1 hash as a separate download, as a lot of sites offer, that is not a security measure, just a way of checking if your download is corrupted - if you can fake the bits you can fake the hash. Either trust is end to end, or you don't have any. -Tim > > Security is on the IDE side: verifying that the downloaded file has not > been modified while on transit, either by using a PGP signature or other > digesting techniques, as the ASF guidelines mandate. > > Cheers, > Antonio > > El 25/09/2018 a las 18:55, Kenneth Jaeger escribió: > > The plugins.netbeans.org does not use https by default, nor does it > allow > > https. An error occurs if you try to change it to https. > > > > The updates.netbeans.org site does allow the use of https, but does not > > redirect to https if http is used. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > For further information about the NetBeans mailing lists, visit: > https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists > > > > -- http://timboudreau.com
