Please enable HTTPS for downloads by default

ximxxomd · September 13, 2019 at 6:44 PM

The downloadlinks here are for some unknown reason http links instead of https links: AMD / Intel / nVidia – LibreELEC

When you change them manualy to https, then the download link work fine. Please make them https by default to not make MITM-attacks possible.

Thanks

**CvH** · September 13, 2019 at 8:28 PM Official Post

this is sadly rather useless as most of the mirrors are using http anyway

ximxxomd · September 14, 2019 at 3:46 PM

The links are working fine with https enabled:

example 1: libreelec-generic.x86_64-9.0.2.img.gz

example 2: libreelec-generic.x86_64-9.1.501.img.gz

**CvH** · September 15, 2019 at 6:36 PM Official Post

yea and the mirror its redirecting to plain http as most of the mirrors are not offering https

gee_whiz · July 26, 2020 at 12:37 PM

@ximxxomd

Wow, I always thought that at least the https download would be secure...

But as CvH states the mirrors seem to downgrade the connection security and provide a false sense of security.

/r Great... why don't you guys start an anti-cryptography advocate group.

These security flaws have been around for several years now and opposite to all promises it has never been handled in any ways.

It's really disappointing.

CvH

You said at Use of SSL for release downloads that you were supplying checksums via SSL. But honestly I have found nothing on this page that offers them through ssl/tls.

- The download section does not show them.

- The mirrorlist is http only and LibreELEC-RPi.arm-9.2.3.img.gz?mirrorlist directly starts the download (tested in chromium and firefox).

The only way to get libreelec in a secure way (or at least verify it by ssl/tls-supplied checksums) is to download the Milhouse nightlies from his mirror and use the checksums from his kodi.tv-forum posts.

See LibreELEC Testbuilds for RaspberryPi (Kodi 19.0)

But then again you have a completely unstable libreelec...

Use of SSL for release downloads

Quote

the downloads are served via mirrors also over ftp - so you gain nothing with ssl there

We serve hashsums via ssl that could be used to check for correct files (reminds me to add the links to the download, upps).

Remember also Windows updates are server via http and it is not less secure due that!

/r And concerning the windows updates. That has nothing to do with this problem.

Updates via http is only perfectly fine when you have securely established trust before and use cryptographic signatures stemming from that trust establishment (i.e. installing windows from DVD (where an iso was downloaded via https) or having windows installed by a oem supplier (who is to trust in that case)). The os installation provides the cryptographic means (such as certificates) to verify the updates .

In a different thread ( Security issue with download ), I found chewitt saying:

Quote

Hashes are worthless and are not the solution. We are working on a proper solution. Go poke in GitHub for more info.

I have taken a look at github, but I did not saw anything concerning the download problem. Maybe there are changes to the update process but that does not impact the first setup process.

Sorry for the rant, but please correct me where I was wrong.

Best regards,

gee_whiz

Please enable HTTPS for downloads by default

Similar Threads

RPi4 1GB + LibreElec 9.1.002 + Hyperion Lights = no lights