Enabling TLS connections

Discuss development of the GhostBSD system website.

Moderator: Developer

Post Reply
cwest
Posts: 4
Joined: Fri Mar 24, 2017 8:33 am

Enabling TLS connections

Post by cwest »

Hey there,

It has been an industry standard to put the hashes online once a new version is released to ensure that one has got the right item and not a software which has been edited throughout the way (by a Man In The Middle / MITM).

However, when transmitted through an insecure port 80 or 21, it is possible that the software could be processed by an MITM. Same applies to the uploaded hash values. To ensure that this won't happen, it'd be nice to use a (trusted) TLS connection. I think Let's Encrypt or StartCOM should be a free, but fair way to receive the certificates to that purpose...

Here another reason: It's said google ranks TLS encrypted sites higher lol
ASX
Posts: 988
Joined: Wed May 06, 2015 12:46 pm

Re: Enabling TLS connections

Post by ASX »

cwest wrote:Hey there,

It has been an industry standard to put the hashes online once a new version is released to ensure that one has got the right item and not a software which has been edited throughout the way (by a Man In The Middle / MITM).
I'm inclined to think that if one is able to upload a counterfait ISO, might very well be able to upload a new hash, and if I remember correctly something like that happened to Linux Mint.
However, when transmitted through an insecure port 80 or 21, it is possible that the software could be processed by an MITM. Same applies to the uploaded hash values. To ensure that this won't happen, it'd be nice to use a (trusted) TLS connection. I think Let's Encrypt or StartCOM should be a free, but fair way to receive the certificates to that purpose...
Hmm ... ISO images are read-only, by specifications, applying a non banal change on the fly look like very hard, if possible at all.
Here another reason: It's said google ranks TLS encrypted sites higher lol
This is not a commercial project, and google ranking is not going to affect us that much. ;)

I could say that mostly I can agree about increasing the overall security, including using encrypted connections, the fact is that it will add some more load upon us, and I can assure you we are already busy enough.

Overall we need to balance what we aim to achieve with what are effectively able to achieve. ;)
It is mostly a matter of time, resources and manpower, most likely will will be there at some point in time, for now we prefer to dedicate our efforts and resources to other tasks.
Post Reply