New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scripts seem to be downloaded insecurely #253
Comments
I am not fully sure about releases feature as it uses git tags which again are more like for single project instead of around hundred scripts.
Alternatively CloudFlare gives free certificates when you use their protection. |
Unless |
CloudFlare doesn't care about self signed certificates, most of users probably do. |
https://www.cloudflare.com/ssl implies that CloudFlare provides no way
While CloudFlare’s “Full SSL” option would provide encryption of the |
It's planned to upgrade weechat.org to HTTPS (when I'll have some time, or any help is welcome, since the site is open-source). |
Site weechat.org has been upgraded to HTTPS (the HTTP is still working). |
HSTS? |
For now I don't plan to disable HTTP, to stay compatible with existing script plugin (or old releases), which uses HTTP by default. |
That was quick. Thanks! I don’t believe using HSTS would entail disabling unsecured HTTP |
The fix is only on weechat.org now, I'll update script plugin to force HTTPS soon (and then I'll close this issue once done). |
I would say
but it was already said and you can give same content on both HTTP and HTTPS if something doesn't use HTTPS even if there is HSTS. |
OK, I misunderstood what HSTS was. |
…fault in option script.scripts.url (issue #253)
The option script.scripts.url_force_https has been removed because now weechat.org is HTTPS only (there's an automatic redirection from HTTP to HTTPS). |
The
/script
command appeared to download the scripts and the index ofscripts via unsecured HTTP, which would seem to be a security risk, unless
there is some subsequent cryptographic verification of the downloaded data.
Three potential solutions I see are:
Downloading from https://github.com/weechat/scripts rather than from
http://weechat.org.
I suppose the script index would need to be uploaded to GitHub, perhaps
with GitHub’s “releases” feature.
Upgrading
weechat.org
to HTTPS, perhaps with a free certificate fromGlobalSign: https://www.globalsign.com/ssl/ssl-open-source/.
This would also cover the packages that are offered for download from
http://weechat.org.
Having the scripts and the script index be cryptographically signed with
(e.g.) an OpenPGP implementation, and verifying the signatures.
The text was updated successfully, but these errors were encountered: