El Dimecres, 11 de març de 2015, a les 12:31:55, ChALkeR va escriure: > I was told that it is ok to send this to a public ML. > > As it is now, OCS providers.xml file ( > http://download.kde.org/ocs/providers.xml ) is served via http, which > breaks the https chain and allows a MitM attack replacing the actual > provider location url with malicious provider url. Or downgrading the > protocol to http and inserting payloads in actual content from kde-*.org on > the fly. > > Fixing it would require introducing an https server that serves the > providers.xml file (download.kde.org does not serve anything through > https), Ben Cooksley suggests copying that file to autoconfig.kde.org. > > After that, all *.knsrc files should get the ProvidersUrl changed to the > new location, and the old location could be removed after a couple of > years. Another way of fixing that would be to add yet another (temporary?) > hack to knewstuff that replaces one specific url with a new https one. > > On a side note, http://edu.kde.org/ should be replaced with > https://edu.kde.org/ in some places (including the knewstuff itself). > > Comments?
Using https so people downloads can hot be hijacked sounds like a good thing :) Cheers, Albert >> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
