On Tuesday, July 11, 2017 at 12:42:19 PM UTC+2, salk31 wrote: > > I think Bob has a point. I don't think HTTPS helps that much. Isn't the > issue that somebody could generate a new binary that has a SHA1 that > matches the real binary? >
Yes, but if you download the SDK through HTTPS, you know the file you receive is the one you expect. It'd be much easier I believe to intercept traffic to gwtproject.org (which doesn't use HTTPS, yet [1]; I'm sure it'll be the case as soon as Google provides free certificates, or someone takes the time to automated it with Let's Encrypt, or gives some money to buy a certificate and commits to renew it as needed) to serve different URLs and checksums, than to craft a SHA1 collision. I'd also strongly suggest people grab the JARs from the Central Repository. I mean, even people using build tools without so-called "managed dependencies" do it rather than downloading the SDK [2] (you'll notice that Bazel, the build tool from Google, uses SHA1 too with no stronger option [3], same for Maven BTW). I, for one, don't even understand why we're still providing those binaries, but that's another debate. Note again that I'm not dismissing the request to change to SHA-256 (Bazel binaries are downloaded through HTTPS, from a page in HTTPS, and provide SHA-256 checksums [4]; this is definitely what we should aim for; iff we keep providing those binaries for GWT), I'm only pondering the criticality of the vulnerability. And again, as long as the website (at a minimum the webpage with the download links and checksums) is not served with HTTPS, it's useless to argue SHA-1 vs SHA-256. If you're really serious about security, there are other priorities (and in the mean time, you can still compile from sources). [1] https://github.com/gwtproject/gwt-site/issues/210 [2] https://gerrit.googlesource.com/gerrit/+/stable-2.14/WORKSPACE#103 [3] https://docs.bazel.build/versions/master/be/workspace.html#maven_jar.sha1 [4] https://github.com/bazelbuild/bazel/releases -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/google-web-toolkit. For more options, visit https://groups.google.com/d/optout.
