Security issue with download

kaisti · June 5, 2017 at 4:04 PM

All the download links on the download page downloads – LibreELEC is pointing to http and not https.

This open up for man-in-the-middle attack.

So how can I now or check if what I download is genuine LibreELEC software and not some malicious version?

It down find any PGP signature or any hashes of the software.

**vpeter** · June 5, 2017 at 5:30 PM

You can get checksums like

Code

http://releases.libreelec.tv/LibreELEC-RPi2.arm-8.0.2.img.gz?mirrorlist

kaisti · June 5, 2017 at 6:31 PM

Quote from vpeter

Code

http://releases.libreelec.tv/LibreELEC-RPi2.arm-8.0.2.img.gz?mirrorlist

The problem is that the checksum is also provided over http, so that could easily be changes in a man-in-the-middle attack.

The only way around this that some of it, preferable all, is serviced over https.

**vpeter** · June 5, 2017 at 7:25 PM

Ah, missed http link.

I think there is some solution to get at least checksums over https. But forgot how. Or maybe there isn't - other will help here.

**chewitt** · June 7, 2017 at 9:15 AM Official Post

The releases sever does not currently support HTTPS connections. This will change when we complete a server move, which is a little overdue but on the team short term to-do list.

FatherMapple · October 14, 2017 at 11:49 AM

Quote from chewitt

The releases sever does not currently support HTTPS connections. This will change when we complete a server move, which is a little overdue but on the team short term to-do list.

That's reasonable.

But please consider putting the sha256 of the donloads only sum on an appendix downloads – LibreELEC.

I really appreciate your work and would like to try the software. I trust the libreelec developers, software, and https site maintainer, but the final trust link, the sha256sum on https, is missing.

I know this sounds largely paranoid, but I am reluctant to install inside my wifi lan a download of software that I cannot trust.

I think that it takes not much to help me install this generous software.

Thank you for your patience.

**chewitt** · October 14, 2017 at 6:07 PM Official Post

Please do not cross post.

Mysterious · October 27, 2017 at 8:33 PM

Hey chewitt,

I have just stumbled across this problem

Realizing that the mirror page is completely useless is quite devastating.

At the moment the shown hashes cannot proof anything... Assuming someone tampering with the http connection, not even the correctness of a downloaded file can be proofed.

Please consider posting the current stable releases' hashes in this forum (or as already suggested on the download page) so we don't need to wait some arbitrary short term time to run our beloved libreelec

Thanks

P.S.: Sorry if I sound too harsh

**chewitt** · October 27, 2017 at 11:30 PM Official Post

Hashes are worthless and are not the solution. We are working on a proper solution. Go poke in GitHub for more info.