Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scripts seem to be downloaded insecurely #253

Closed
8573 opened this issue Nov 11, 2014 · 13 comments
Closed

Scripts seem to be downloaded insecurely #253

8573 opened this issue Nov 11, 2014 · 13 comments
Assignees
@flashcode
Labels
feature New feature request
Milestone
1.1

Comments

@8573
Copy link

8573 commented Nov 11, 2014

The /script command appeared to download the scripts and the index of
scripts via unsecured HTTP, which would seem to be a security risk, unless
there is some subsequent cryptographic verification of the downloaded data.

Three potential solutions I see are:
@Mikaela
Copy link
Contributor

Mikaela commented Nov 11, 2014

I suppose the script index would need to be uploaded to GitHub, perhaps
with GitHub’s “releases” feature.

I am not fully sure about releases feature as it uses git tags which again are more like for single project instead of around hundred scripts.

Upgrading weechat.org to HTTPS, perhaps with a free certificate from
GlobalSign: https://www.globalsign.com/ssl/ssl-open-source/.
This would also cover the packages that are offered for download from
http://weechat.org.

Alternatively CloudFlare gives free certificates when you use their protection.

@8573
Copy link
Author

8573 commented Nov 11, 2014

Alternatively CloudFlare gives free certificates when you use their
protection.

Unless weechat.org is upgraded to support HTTPS anyway, wouldn’t the
weechat.org ↔ CloudFlare connection not be (significantly) more secure
than weechat.org ↔ end-user connections are now?

@Mikaela
Copy link
Contributor

Mikaela commented Nov 11, 2014

Unless weechat.org is upgraded to support HTTPS anyway, wouldn’t the
weechat.org ↔ CloudFlare connection not be (significantly) more secure
than weechat.org ↔ end-user connections are now?

CloudFlare doesn't care about self signed certificates, most of users probably do.

@8573
Copy link
Author

8573 commented Nov 11, 2014

CloudFlare doesn't care about self signed certificates, most of users
probably do.

https://www.cloudflare.com/ssl implies that CloudFlare provides no way
to have it validate a self-signed certificate (e.g., by giving
CloudFlare the certificate’s fingerprint in some administrative
interface):

Full SSL: […] CloudFlare will not attempt to validate the certificate
(certificates may be self-signed).

While CloudFlare’s “Full SSL” option would provide encryption of the
connection, it seems to me that only the “Full SSL (strict)” option,
applied in combination with a certificate from a generally-recognized
authority, would provide authentication of the connection;
authentication of the connection being my concern.

@flashcode flashcode added the feature New feature request label Nov 11, 2014
@flashcode
Copy link
Member

It's planned to upgrade weechat.org to HTTPS (when I'll have some time, or any help is welcome, since the site is open-source).

@flashcode
Copy link
Member

Site weechat.org has been upgraded to HTTPS (the HTTP is still working).
I'll then check how to enable HTTPS by default in script plugin (for download of scripts index and scripts themselves). I'll even try to force existing users to switch to HTTPS by defaut (automatically).

@Mikaela
Copy link
Contributor

Mikaela commented Nov 15, 2014

HSTS?

@flashcode
Copy link
Member

For now I don't plan to disable HTTP, to stay compatible with existing script plugin (or old releases), which uses HTTP by default.
In far future, HTTP could be disabled on weechat.org.

@8573
Copy link
Author

8573 commented Nov 15, 2014

That was quick. Thanks!

I don’t believe using HSTS would entail disabling unsecured HTTP
server-side.

@flashcode
Copy link
Member

The fix is only on weechat.org now, I'll update script plugin to force HTTPS soon (and then I'll close this issue once done).

@Mikaela
Copy link
Contributor

Mikaela commented Nov 15, 2014

I would say

I don’t believe using HSTS would entail disabling unsecured HTTP

but it was already said and you can give same content on both HTTP and HTTPS if something doesn't use HTTPS even if there is HSTS.

@flashcode
Copy link
Member

OK, I misunderstood what HSTS was.
It is now enabled on weechat.org.

@flashcode flashcode added this to the 1.1 milestone Nov 15, 2014
@flashcode flashcode self-assigned this Nov 15, 2014
@tabbyrobin tabbyrobin mentioned this issue Aug 22, 2015
Open
flashcode added a commit that referenced this issue Apr 23, 2017
@flashcode
script: remove option script.scripts.url_force_https, use HTTPS by de…
2606b8a 
…fault in option script.scripts.url (issue #253)
@flashcode
Copy link
Member

The option script.scripts.url_force_https has been removed because now weechat.org is HTTPS only (there's an automatic redirection from HTTP to HTTPS).
The default value for option script.scripts.url is now using HTTPS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@flashcode flashcode

Labels
feature New feature request
Projects
None yet
Milestone
1.1
Development

No branches or pull requests
3 participants
@Mikaela @flashcode @8573