Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Forge send unencrypted request to files.minecraftforge.net #6643

Closed
Bixilon opened this issue Apr 23, 2020 · 5 comments
Closed

Forge send unencrypted request to files.minecraftforge.net #6643

Bixilon opened this issue Apr 23, 2020 · 5 comments
Labels
1.12 Wont Fix/Works As Intended

Comments

@Bixilon
Copy link

@Bixilon Bixilon commented Apr 23, 2020

My Client (1.12.2 14.23.5.2847) sends an unencrypted request to: http://files.minecraftforge.net/maven/net/minecraftforge/forge/promotions_slim.json

Please: Use https!

@Bixilon Bixilon added the Triage label Apr 23, 2020
@diesieben07
Copy link
Contributor

@diesieben07 diesieben07 commented Apr 23, 2020

The request is encrypted in modern versions of Forge.
Even if, this request does not contain any sensitive data of any kind.

@diesieben07 diesieben07 removed the Triage label Apr 23, 2020
@Bixilon
Copy link
Author

@Bixilon Bixilon commented Apr 23, 2020

The problem is not, that sensitive data is getting sent. It's a general problem.

I updated forge to .2854, but it is not encrypted. Do you mean new Minecraft versions? If so, why not in 1.12.2?

@diesieben07
Copy link
Contributor

@diesieben07 diesieben07 commented Apr 23, 2020

1.12.2 is now 2 1/2 years old and no longer receiving updates.

@simon816
Copy link
Contributor

@simon816 simon816 commented Apr 24, 2020

Even if, this request does not contain any sensitive data of any kind.

Depending on whether there's any signature / hash verification, a malicious actor on a network may be able to intercept the request to ultimately serve malware, with HTTPS you at least get certificate verification.

@DaemonUmbra DaemonUmbra added 1.12 Wont Fix/Works As Intended labels Apr 24, 2020
@LexManos
Copy link
Member

@LexManos LexManos commented Apr 24, 2020

We know what MITM attacks are. However your fearmongering has no effect here. Worse case scenario they serve bad data and cause an error in out update check.

This, among many reasons is why we never download executable code in Forge. All this check does is display a message if you're out of date.

Which, you are, as you're using 1.12, so.if you gave a crap about security you'd update... So... nobody cares.

@MinecraftForge MinecraftForge locked as resolved and limited conversation to collaborators Apr 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
1.12 Wont Fix/Works As Intended
Projects
None yet
Development

No branches or pull requests

5 participants