[Main website] unsafe app + gpg key + gpg signature downloads

[cjeanneret]

Hello,

It seems repository.rainloop.net is served only via non-secure connection.

After some furthers checks, it appears the website actually answers to https connections, but enforces non-SSL connection… Of course, this is bad:

even if you provide a GPG signature and the public GPG key, all the files are served through an unsecure connection, meaning anything can go wrong — a malicious person might provide a tempered archive, and provide all necessary gpg stuff in order to make it valid. As people can add their private gpg key to the webmail, imagine what could happen…

Why do you enforce a non-SSL connection for that usage? Apparently, you already have an SSL certificate on the cloudflare frontend…

As it is, it's hard to trust anything provided by rainloop. And it's a shame, because this webmail seems promising.

Care to correct that?

Thank you!

Cheers,

C.

[RainLoop]

Thanks!

Fixed, now all RainLoop resources can be downloaded through HTTPS connection.

[cjeanneret]

Thanks for the fix-up :+1: Next step: HSTS and SSL enforcing ;). But at least we can tweak the URL in order to get some security.