By design HTTPS/TLS is supposed to protect against man-in-the middle! Isn't that what certificate signing is all about? Else we could just all generate our own certificates. SSH on the other hand does not really prevent MitM (but mitigates it slightly with fingerprints). Correct me if I'm wrong here..
On Thursday, December 5, 2013 4:25:53 PM UTC-8, Alex Kocharin wrote: > > > Yeah, shasums are usually pgp signed. > > HTTPS is a protection against traffic sniffing, nothing more than that. > While it's nice to use it everywhere, it doesn't really protect against > MitM. > > > On Tuesday, December 3, 2013 1:10:29 AM UTC+4, Igor Partola wrote: >> >> This is a security issue. For example this announcement of 0.11.9 >> availability (http://blog.nodejs.org/2013/11/20/node-v0-11-9-unstable/) >> is served in plaintext, such that the SHA1 signatures can be tempered along >> with the binaries to run arbitrary code on the target machine. Note that >> there is no option to access any resource on *.nodejs.org via HTTPS >> >> Please enable HTTPS on this site. Additionally, please provide checksums >> using algorithms other than SHA1, such as SHA256. >> > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
