Hello Community, I noticed that on http://www.openvas.org/install-packages-v7.html we're encouraging users to wget script from atomiccorp website using http. As we know this is potential Man in the Middle attack vector, and we shouldn't spread such bad practice - especially that atomiccorp website and given resource are available thru https:// so I can't see a reason to use http.
So my inquiry is - can you please change in the guide wget -q -O - http://www.atomicorp.com/installers/atomic |sh to wget -q -O - https://www.atomicorp.com/installers/atomic |sh ? To make it clear for everyone why I'm concerned by it: 1. We ask users to fetch it with super user privileges, so if this request is MiTM'd, it can completely compromise end user machine and for corporate environments that's a disaster. 2. We're talking about security software here so we should be a good example for others. FYI: The script itself downloads RPM keys via https so in there everything is fine and the only problem I see is related to the mentioned instruction in installation guide. The scale of the problem is much bigger as I can see the same practice in here: http://www.openvas.org/install-packages-v6.html and other wiki pages. where not only the plaintext wget | sh is encouraged, but also downloading RPM keys from static URLs is happening via plaintext HTTP(websites hosting repo keys are in general available with https, so we should leverage it wherever possible) Example: wget http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v6/Debian_7.0/Release.key Appreciate your help and feedback on this. Love, Dawid Bałut <https://www.linkedin.com/in/dawidbalut> Founder of InfoSec Remedy <https://infosecremedy.blogspot.com/> Blogger at dawidbalut.blogspot.com
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
