Permanent fix for #797 #798
Comments
|
If the checksum changes a lot, you can just leave it away. |
|
Or, we use a browser step to manage the download of the client |
|
How is the checksum related to your /etc/hosts? |
|
Checksum does not secure http transaction is not a digital signature mechanism, especially when it is automatically updated..... HTTPS has been created to solve this problem |
|
@qparis HTTPS can be abused since any page can use secure certificate.. Alike: Note the invalid URL -> Phishing website designed to steal M$ accounts @plata If |
|
If you have access on the machine and you can install a certificate, of course, anything can be abused... Please read about checksum, digital signature and cryptography. Saying that we should create a bot that automatically changes the checksum on the script for security reason is just crazy |
|
@qparis Note that mensioned site above comes with valid certificate nothing was changed from my side. I'm suggesting to make a bot that is going to update the checksum in case the installer is updated. Why is it insane? |
|
@Kreyren You are suggesting to "secure" a HTTPS connexion with a checksum, that is crazy for many reasons:
Can we now focus on the real problem of this ticket or do we continue to reinvent https? |
https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html, Note that the site in an example has secure certificate.. Sites alike are also common and MACOSX : https://www.exploit-db.com/exploits/44307
Made a hotfix to disable checksum. Dunno how else it could be solved excluding automatic checksum |
|
Just disable the checksum like all other scripts where the downloaded file changes frequently. |
|
Disagree, but i respect the decision. Recommends closing. |
League Of Legends installers seems to be frequently updated -> causes checksum mismatch.
Reference: #797 (comment)
Suggestions? Can we in theory make something that would update the checksum automatically?
The text was updated successfully, but these errors were encountered: