TLS would protect you against all sorts of things. But, it wouldn't protect any better (and certainly not cheaper) than verifying the PGP signatures of the SHA256 sums.
Qv: http://nodejs.org/dist/v0.10.22/SHASUMS256.txt.asc On Mon, Dec 9, 2013 at 2:09 PM, Alex Kocharin <[email protected]> wrote: > > SSH and HTTPS are both a strong protection against traffic sniffing, but > are prone to MitM in some cases. > > Certificate signing means nothing, because: > 1. There are countless of CA all around the world, and every single one of > them can issue a certificate for any domain. > 2. If you're in corporate network, it's usual to add corporate CAs to a CA > list in order for local resources to work. But it means that corporate CA > can issue a certificate for any domain. > > Even worse than that, TLS is vulnerable to so called "compelled > certificate creation attack". Which means that a legitimate CA can be > forced to issue a fraudulent certificate that can be used for mitm later. > See http://files.cloudprivacy.net/ssl-mitm.pdf . > > SSH is in fact more secure than HTTPS, because it stores public key > locally. If you connect to a legit host once, you can feel safe connecting > to it later, because you have the public key. SSH also provide a > possibility to obtain a fingerprint from DNS, so if you manage to secure > your connection to a public DNS server, you are safer than with HTTPS. > > I'm eagerly waiting for DANE protocol to be widely accepted, but until > then HTTPS protection against MitM is a myth. > > > > 10.12.2013, 01:40, "Simon" <[email protected]>: > > By design HTTPS/TLS is supposed to protect against man-in-the middle! > Isn't that what certificate signing is all about? Else we could just all > generate our own certificates. SSH on the other hand does not really > prevent MitM (but mitigates it slightly with fingerprints). Correct me if > I'm wrong here.. > > On Thursday, December 5, 2013 4:25:53 PM UTC-8, Alex Kocharin wrote: > > > Yeah, shasums are usually pgp signed. > > HTTPS is a protection against traffic sniffing, nothing more than that. > While it's nice to use it everywhere, it doesn't really protect against > MitM. > > > On Tuesday, December 3, 2013 1:10:29 AM UTC+4, Igor Partola wrote: > > This is a security issue. For example this announcement of 0.11.9 > availability (http://blog.nodejs.org/2013/11/20/node-v0-11-9-unstable/) > is served in plaintext, such that the SHA1 signatures can be tempered along > with the binaries to run arbitrary code on the target machine. Note that > there is no option to access any resource on *.nodejs.org via HTTPS > > Please enable HTTPS on this site. Additionally, please provide checksums > using algorithms other than SHA1, such as SHA256. > > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
