Installer shell script downloads keys over HTTP (not HTTPS)

[dturner-tw]

from the installer script:
curl -s http://download.draios.com/DRAIOS-GPG-KEY.public | apt-key add -

This is bad because there's no authentication; anyone could MITM this. HTTPS would solve this problem.

[gianlucaborello]

Good catch!

Problem is we use S3 to host our repository so we can't get HTTPS for download.draios.com, so I'll just move the key to another location or use the full s3.amazonaws.com name.

Thanks for reporting this!

[gianlucaborello]

Meanwhile you can use https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public

[gianlucaborello]

So this should be fixed in 98e1970.
I also updated our wiki and website so the entire installer is fetched from HTTPS and a potential MITM is avoided there as well.
Unfortunately the URLs look less pretty but that's S3.

Thanks!

[dturner-tw]

Awesome! Thanks for the quick response.

On Thu, Apr 3, 2014 at 3:33 PM, Gianluca Borello
notifications@github.comwrote:

So this should be fixed in 98e197098e1970498
.
I also updated our wiki and website so the entire installer is fetched
from HTTPS and a potential MITM is avoided there as well.
Unfortunately the URLs look less pretty but that's S3.

Thanks!

Reply to this email directly or view it on GitHubhttps://github.com//issues/29#issuecomment-39494790
.