Enabling TLS connections

Discuss development of the GhostBSD system website.

Moderator: Developer

Enabling TLS connections

Postby cwest » Fri Mar 24, 2017 7:45 am

Hey there,

It has been an industry standard to put the hashes online once a new version is released to ensure that one has got the right item and not a software which has been edited throughout the way (by a Man In The Middle / MITM).

However, when transmitted through an insecure port 80 or 21, it is possible that the software could be processed by an MITM. Same applies to the uploaded hash values. To ensure that this won't happen, it'd be nice to use a (trusted) TLS connection. I think Let's Encrypt or StartCOM should be a free, but fair way to receive the certificates to that purpose...

Here another reason: It's said google ranks TLS encrypted sites higher lol
cwest
 
Posts: 4
Joined: Fri Mar 24, 2017 7:33 am
Has thanked: 0 time
Been thanked: 0 time

Enabling TLS connections


Re: Enabling TLS connections

Postby ASX » Fri Mar 24, 2017 9:16 am

cwest wrote:Hey there,

It has been an industry standard to put the hashes online once a new version is released to ensure that one has got the right item and not a software which has been edited throughout the way (by a Man In The Middle / MITM).

I'm inclined to think that if one is able to upload a counterfait ISO, might very well be able to upload a new hash, and if I remember correctly something like that happened to Linux Mint.

However, when transmitted through an insecure port 80 or 21, it is possible that the software could be processed by an MITM. Same applies to the uploaded hash values. To ensure that this won't happen, it'd be nice to use a (trusted) TLS connection. I think Let's Encrypt or StartCOM should be a free, but fair way to receive the certificates to that purpose...

Hmm ... ISO images are read-only, by specifications, applying a non banal change on the fly look like very hard, if possible at all.

Here another reason: It's said google ranks TLS encrypted sites higher lol


This is not a commercial project, and google ranking is not going to affect us that much. ;)

I could say that mostly I can agree about increasing the overall security, including using encrypted connections, the fact is that it will add some more load upon us, and I can assure you we are already busy enough.

Overall we need to balance what we aim to achieve with what are effectively able to achieve. ;)
It is mostly a matter of time, resources and manpower, most likely will will be there at some point in time, for now we prefer to dedicate our efforts and resources to other tasks.
ASX
Developer
 
Posts: 970
Joined: Wed May 06, 2015 11:46 am
Has thanked: 58 times
Been thanked: 130 times


Return to GhostBSD Website

Who is online

Users browsing this forum: No registered users and 1 guest