Please enable HTTPS for downloads by default

  • @ximxxomd

    Wow, I always thought that at least the https download would be secure...

    But as CvH states the mirrors seem to downgrade the connection security and provide a false sense of security.

    /r Great... why don't you guys start an anti-cryptography advocate group.

    These security flaws have been around for several years now and opposite to all promises it has never been handled in any ways.

    It's really disappointing.

    CvH

    You said at Use of SSL for release downloads that you were supplying checksums via SSL. But honestly I have found nothing on this page that offers them through ssl/tls.

    - The download section does not show them.

    - The mirrorlist is http only and LibreELEC-RPi.arm-9.2.3.img.gz?mirrorlist directly starts the download (tested in chromium and firefox).

    The only way to get libreelec in a secure way (or at least verify it by ssl/tls-supplied checksums) is to download the Milhouse nightlies from his mirror and use the checksums from his kodi.tv-forum posts.

    See LibreELEC Testbuilds for RaspberryPi (Kodi 19.0)

    But then again you have a completely unstable libreelec...

    Use of SSL for release downloads

    Quote

    the downloads are served via mirrors also over ftp - so you gain nothing with ssl there

    We serve hashsums via ssl that could be used to check for correct files (reminds me to add the links to the download, upps).

    Remember also Windows updates are server via http and it is not less secure due that!

    /r And concerning the windows updates. That has nothing to do with this problem.

    Updates via http is only perfectly fine when you have securely established trust before and use cryptographic signatures stemming from that trust establishment (i.e. installing windows from DVD (where an iso was downloaded via https) or having windows installed by a oem supplier (who is to trust in that case)). The os installation provides the cryptographic means (such as certificates) to verify the updates .


    In a different thread ( Security issue with download ), I found chewitt saying:

    Quote

    Hashes are worthless and are not the solution. We are working on a proper solution. Go poke in GitHub for more info.

    I have taken a look at github, but I did not saw anything concerning the download problem. Maybe there are changes to the update process but that does not impact the first setup process.


    Sorry for the rant, but please correct me where I was wrong.

    Best regards,

    gee_whiz