Use HTTPS for installation guide and scripts

[jellemdekker]

Feature Request

Feature Information:

The AMP installation guide features commands that rely on downloading scripts or packages over the internet. Some of these commands currently use HTTP. However, the infrastructure already appears to support HTTPS almost everywhere. I propose the following changes:

Ubuntu/Debian:

1. Modify wget -qO- getamp.sh to wget -qO- https://getamp.sh (requires task I below to be completed first).
2. Modify apt-key adv --fetch-keys http://repo.cubecoders.com/archive.key with
   apt-key adv --fetch-keys https://repo.cubecoders.com/archive.key.
3. Modify apt-add-repository "deb http://repo.cubecoders.com/ debian/" to
   apt-add-repository "deb https://repo.cubecoders.com/ debian/"

CentOS/Fedora & Other Linux:

4. Modify wget http://cubecoders.com/Downloads/ampinstmgr.zip to
   wget https://cubecoders.com/Downloads/ampinstmgr.zip

Task list for places to make above changes in:

• I. Configure HTTPS support for the webserver of the getamp.sh website.
• II. Update aforementioned sections of the AMP installation guide.
• III. Update the AMP Dockerfile (lines 49 & 50).
• IV. Update the getamp.sh script (lines 69 & 70).
• V. Update the redirect from getamp.sh to CubeCoders to HTTPS.

I confirm:

• that I have searched for an existing feature request matching the description.

[PhonicUK]

We have a HSTS policy on our domain (which forces all HTTP requests to run over HTTPS), all of the requests run over HTTPS. If you check the output from the wget command you'll see that because of the policy the download is actually served over HTTPS. There are also server-side redirect rules that redirect all HTTP traffic to HTTPS.

[jellemdekker]

repo.cubecoders.com does not 301 redirect to HTTPS or serve the HSTS header. This means archive.key and AMP binaries are vulnerable to man-in-the-middle attacks. Additionally, if the infrastructure supports it, why not hardcode HTTPS into the URL's?

Please consider taking a moment to investigate this.

[miguemely]

Might be that the HSTS policy isn't being affected on the subdomain.

[jellemdekker]

getamp.sh redirects to http://cubecoders.com/getamp.sh. This should be https://. Furthermore, getamp.sh itself should support HTTPS, because if it doesn't an attacker can still modify the 301 redirect it is sending and replace it with their own malicious script.

[miguemely]

getamp.sh now redirects to https://cubecoders.com/getamp.sh, however, getamp.sh does not seem to support https.

[PhonicUK]

GetAMP.sh is now served over HTTPS, as is everything else I believe.

[deadlysnek]

https://getamp.sh still presents a certificate for *.cubecoders.com which isn't valid.

[PhonicUK]

Odd, Certify the web is fetching those via LetsEncrypt. Something odd is afoot.

[PhonicUK]

This has been addressed since. GetAMP.sh now redirects to https. All repositories are accessed over HTTPS and now use strict signing.