On Fri, Mar 13, 2015 at 11:24 AM, Albert Astals Cid <[email protected]> wrote: > El Dimecres, 11 de març de 2015, a les 12:31:55, ChALkeR va escriure: >> I was told that it is ok to send this to a public ML. >> >> As it is now, OCS providers.xml file ( >> http://download.kde.org/ocs/providers.xml ) is served via http, which >> breaks the https chain and allows a MitM attack replacing the actual >> provider location url with malicious provider url. Or downgrading the >> protocol to http and inserting payloads in actual content from kde-*.org on >> the fly. >> >> Fixing it would require introducing an https server that serves the >> providers.xml file (download.kde.org does not serve anything through >> https), Ben Cooksley suggests copying that file to autoconfig.kde.org. >> >> After that, all *.knsrc files should get the ProvidersUrl changed to the >> new location, and the old location could be removed after a couple of >> years. Another way of fixing that would be to add yet another (temporary?) >> hack to knewstuff that replaces one specific url with a new https one. >> >> On a side note, http://edu.kde.org/ should be replaced with >> https://edu.kde.org/ in some places (including the knewstuff itself). >> >> Comments? > > Using https so people downloads can hot be hijacked sounds like a good thing > :)
If there is no further feedback on this, I'd suggest a ticket be opened requesting the file to be deployed on autoconfig.kde.org, then review requests being filed against the relevant applications to adjust their behaviour. > > Cheers, > Albert > >>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe << Regards, Ben >> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
