-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permanent fix for #797 #798
Comments
If the checksum changes a lot, you can just leave it away. |
Or, we use a browser step to manage the download of the client |
How is the checksum related to your /etc/hosts? |
Checksum does not secure http transaction is not a digital signature mechanism, especially when it is automatically updated..... HTTPS has been created to solve this problem |
@qparis HTTPS can be abused since any page can use secure certificate.. Note the invalid URL -> Phishing website designed to steal M$ accounts @plata If |
If you have access on the machine and you can install a certificate, of course, anything can be abused... Please read about checksum, digital signature and cryptography. Saying that we should create a bot that automatically changes the checksum on the script for security reason is just crazy |
@qparis Note that mensioned site above comes with valid certificate nothing was changed from my side. I'm suggesting to make a bot that is going to update the checksum in case the installer is updated. Why is it insane? |
@Kreyren You are suggesting to "secure" a HTTPS connexion with a checksum, that is crazy for many reasons:
Can we now focus on the real problem of this ticket or do we continue to reinvent https? |
https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html, Note that the site in an example has secure certificate.. Sites alike are also common and MACOSX : https://www.exploit-db.com/exploits/44307
Made a hotfix to disable checksum. Dunno how else it could be solved excluding automatic checksum |
Just disable the checksum like all other scripts where the downloaded file changes frequently. |
Disagree, but i respect the decision. Recommends closing. |
League Of Legends installers seems to be frequently updated -> causes checksum mismatch.
Reference: #797 (comment)
Suggestions? Can we in theory make something that would update the checksum automatically?
The text was updated successfully, but these errors were encountered: