On 14/01/16 01:19, Yann Ylavic wrote: > On Thu, Jan 14, 2016 at 1:05 AM, Tom Fredrik Blenning Klaussen > <b...@blenning.no> wrote: >> >> The link: https://httpd.apache.org/dist/ >> >> does not exist anywhere on https://httpd.apache.org/download.cgi > > Yes sorry, I meant https://www.apache.org/dist/httpd/ > (httpd.apache.org/dev/dist/ - I missed the /dev/ - is where each > release lands before being accepted by the community).
Still does not exist on the page, this time I searched for all occurences of '/dist/' and inspected them. Said URL (httpd.apache.org/dev/dist/) links back to https://httpd.apache.org/download.cgi I'm assuming you really mean: www.apache.org/dist/httpd/ which is linked from the page. > >> >> The problem is that every single link on this https page is to a >> http page. If this is a shared source, for the http and https >> versions, which I suspect it it, this could be fixed by making >> the href for instance to //httpd.apache.org/dist/ > > Is your concern the user's confidentiality (accessing external > links)? Otherwise, as I said earlier, the way you access the > tarball is not that important provided you verify its signature, or > its digests from the official repository only. Although the users confidentiality is a valid concern, for the purpose of this discussion I'm assuming a MitM attack. I understand what you are saying that the proper way is to download the checksums from the correct source, which is self-evident. Now assume you're a new user, and do not have this previous knowledge. This user is security conscious, so the user chooses https on purpose. He would go into (https://httpd.apache.org), where he would find a link taking him to (https://httpd.apache.org/download.cgi), at this point, he would find the link to (http://www.apache.org/dist/httpd/), what I'm saying is in order to have some trust in that link, it _SHOULD_ be https otherwise assuming you could introduce yourself as a MitM, manipulating the signatures would be trivial. --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
