Mailinglist Archive: opensuse-security (33 mails)

< Previous Next >
Re: [opensuse-security] Why no SSL for download.opensuse.org ?
On Sat 06 Jul 2013 10:34:45 Malte Gell wrote:
We have learned how much effort governments take to control and monitor
the Internet. With this in regard, wouldn´t it make sense to switch
download.opensuse.org to SSL? I know, rpm packages are signed with
GnuPG, but if you add a new repo an attacker still is able to give you a
forged GnuPG key and a forged repo, not the repo you actually tried to
subscribe to. Thus, GnuPG signing of rpm does not prohibit man in the
middle attacks. I think SSL for download.opensuse.org would give more
safety to people living in authoritarian regimes who want to download
openSUSE software.

Malte

The downloads themselves don't need to be SSL. Nobody should really trust a
large download without a checksum or some other sort of error checking. Many
people use torrents now anyway, and often they're more reliable. But the
openSUSE web page with the checksums for the downloads should absolutely be
SSL. This should be easy to do.

Regards,

Eoin


--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
References