2017-09-26 11:57 GMT+03:00 Oliver Heister <oliverheis...@gmail.com>: > 2. Currently MITM attacks by evil ISPs or WiFi networks are possible > against people downloading tomcat from > http://tomcat.apache.org/download-80.cgi . (The page has links to PGP, md5 > and sha1 hashes for validation, but the links are on a http page that does > not redirect to https. This means they could be replaced in case of MITM.) > > IMO a HTTP 301 redirect to the https version and HSTS headers should be > added to http://tomcat.apache.org/ .
The recommended way to validate releases it to check the PGP signature, not the checksums. It is not so easy to compromise a PGP signature. You cannot generate a new signature without having a key. I think that HSTS is an overkill. Maybe update links to *.cgi pages (in menu and on the site) to use https: Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
