Date: prev next · Thread: first prev next last
2016 Archives by date, by thread · List index 

2016-08-22 23:11 GMT+02:00 Paul Steyn <paulsteyn1@afrihost.co.za>:


As all the information is being downloaded, and not uploaded, and is
publicly available, there is no security from the encryption; anybody
can get the same data you are accessing. The verification of the domain
is useful, but does still rely on trusting the DNS servers. The download
itself can be verified through other, better means to ensure it is good,
although this does again rely on the website not having been hacked,
which https does nothing to ensure.



​HTTPS does some stuff to make the download safer: assuming the server's
private key itself was not accessed by an attacker, AND assuming the third
party certificate authority didn't issue a bogus certificate.
In that case, we can reasonably think that what is shown accessing
https://libreoffice.org really originate from libreoffice.org. This
includes the files and the hash fingerprints provided as a way to check the
downloaded files.
One could argue that the download themselves could be served over HTTP for
efficiency, and only the hashes needs to go through HTTPS, but pushing
everything through TLS is not that troublesome.

Of course, we assume that some bases are correct. And that's ignoring other
ways of attack: corporate "nosey" decrypt-all routers, ​user accepting
invalid certificates, browser hijacking, etc.
All in all, providing HTTPS access with a verified certificate does add
something, even for a public project that only provide files to the users,
but it's not completely secure just because of the https green thingy.



PS. I find the tone of the message to be a little strong,



​Agreed.​

-- 
To unsubscribe e-mail to: users+unsubscribe@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/users/
All messages sent to this list will be publicly archived and cannot be deleted

Context

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.