Box host isn't using TLS

[davidmyersdev]

I just realized that the box hosting server isn't using TLS to serve the boxes or the checksums list. Consider buying a certificate or at least using Let's Encrypt to install a free cert.

[Sliim]

Hi, There is a self-signed certificate here https://box.hackbbs.org/ The checksums are also available here:

• https://github.com/Sliim/pentest-env/blob/master/checksums.txt
• https://github.com/Sliim/pentest-env/blob/master/docs/About-boxes.md

This is not sufficient?

[davidmyersdev]

I appreciate the response on this. The checksums on GitHub are definitely useful, but I was mostly talking about the box host. In the Vagrant configuration, kali.vm.box_url is pulling a box over standard HTTP. This is fine if you're using the checksums to verify the box integrity, but serving over a CA-signed TLS cert would allow us to forego the checksum verification step and, more importantly, lessen the chance of actually downloading a malicious box. It's just a suggestion. Let's Encrypt allows you to easily set up a free certificate and automate the renewal process. The self-signed cert would work if we installed the public certificate on our machines, but otherwise, it's no more useful than serving over HTTP.

[Sliim]

Hi! Sorry for latency.. I tried the vagrant cloud storage for some boxes, looks good I think I will upload all Kali box here. Box will be served by https://atlas.hashicorp.com and checksums by github. I think this is a good alternative, number of box increased and I have limited storage in the current server (it was originally temporary...).

[davidmyersdev]

@Sliim I think that's a great plan! Thanks for continuing to work on this!

[Sliim]

Done. All boxes are now uploaded to atlas.hashicorp.com.