New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use SSL-enabled URI for manifest.json #122

Merged
merged 1 commit into from Dec 17, 2015

Conversation

Projects
None yet
2 participants
@weierophinney
Contributor

weierophinney commented Dec 17, 2015

The script was using a non-SSL-enabled URI for the manifest.json, which could allow a MITM attack to provide an alternative file, and thus slipstream in insecure URIs for the box.phar locations.

Considering the manifest.json uses SSL-enabled URIs for the PHAR downloads themselves, the assumption is already that PHP can perform the SSL/TLS negotiation, so there's no reason not to use the SSL/TLS for retrieving the manifest itself.

Use SSL-enabled URI for manifest.json
The script was using a non-SSL-enabled URI for the `manifest.json`, which could allow a MITM attack to provide an alternative file, and thus slipstream in insecure URIs for the `box.phar` locations.

Considering the `manifest.json` uses SSL-enabled URIs for the PHAR downloads themselves, the assumption is already that PHP can perform the SSL/TLS negotiation, so there's no reason not to use the SSL/TLS for retrieving the manifest itself.
@kherge

This comment has been minimized.

Show comment
Hide comment
@kherge

kherge Dec 17, 2015

Member

Excellent point. The use of HTTP is a carry over from when I still had the box-project.org domain and couldn't set up a proper SSL certificate for it.

Thanks for the fix!

Member

kherge commented Dec 17, 2015

Excellent point. The use of HTTP is a carry over from when I still had the box-project.org domain and couldn't set up a proper SSL certificate for it.

Thanks for the fix!

kherge added a commit that referenced this pull request Dec 17, 2015

Merge pull request #122 from weierophinney/patch-1
Use SSL-enabled URI for manifest.json

@kherge kherge merged commit 4b55944 into box-project:gh-pages Dec 17, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment