2017-09-26 11:57 GMT+03:00 Oliver Heister <oliverheis...@gmail.com>:
>  2. Currently MITM attacks by evil ISPs or WiFi networks are possible
> against people downloading tomcat from
> http://tomcat.apache.org/download-80.cgi . (The page has links to PGP, md5
> and sha1 hashes for validation, but the links are on a http page that does
> not redirect to https. This means they could be replaced in case of MITM.)
> IMO a HTTP 301 redirect to the https version and HSTS headers should be
> added to http://tomcat.apache.org/ .

The recommended way to validate releases it to check the PGP
signature, not the checksums.

It is not so easy to compromise a PGP signature. You cannot generate a
new signature without having a key.

I think that HSTS is an overkill.

Maybe update links to *.cgi pages (in menu and on the site) to use https:

Best regards,
Konstantin Kolinko

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to