Security issue with download

  • All the download links on the download page downloads – LibreELEC is pointing to http and not https.

    This open up for man-in-the-middle attack.


    So how can I now or check if what I download is genuine LibreELEC software and not some malicious version?

    It down find any PGP signature or any hashes of the software.

  • You can get checksums like

    Code
    1. http://releases.libreelec.tv/LibreELEC-RPi2.arm-8.0.2.img.gz?mirrorlist

    my lamp addon (unofficial/community) (limited no support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)

  • Code
    1. http://releases.libreelec.tv/LibreELEC-RPi2.arm-8.0.2.img.gz?mirrorlist

    The problem is that the checksum is also provided over http, so that could easily be changes in a man-in-the-middle attack.


    The only way around this that some of it, preferable all, is serviced over https.

  • Ah, missed http link.


    I think there is some solution to get at least checksums over https. But forgot how. Or maybe there isn't - other will help here.

    my lamp addon (unofficial/community) (limited no support)
    my touchscreen support and instructions by Grruhn (now touchscreen addon exists in repository)

  • The releases sever does not currently support HTTPS connections. This will change when we complete a server move, which is a little overdue but on the team short term to-do list.

    That's reasonable.


    But please consider putting the sha256 of the donloads only sum on an appendix downloads – LibreELEC.


    I really appreciate your work and would like to try the software. I trust the libreelec developers, software, and https site maintainer, but the final trust link, the sha256sum on https, is missing.


    I know this sounds largely paranoid, but I am reluctant to install inside my wifi lan a download of software that I cannot trust.


    I think that it takes not much to help me install this generous software.


    Thank you for your patience.

  • Hey chewitt,


    I have just stumbled across this problem :/

    Realizing that the mirror page is completely useless is quite devastating.

    At the moment the shown hashes cannot proof anything... Assuming someone tampering with the http connection, not even the correctness of a downloaded file can be proofed.


    Please consider posting the current stable releases' hashes in this forum (or as already suggested on the download page) so we don't need to wait some arbitrary short term time to run our beloved libreelec :D


    Thanks :)


    P.S.: Sorry if I sound too harsh :/