defuse
commented
7 years ago We're downloading (a different list) over HTTPS from GitHub now: https://github.com/defuse/passgen/blob/master/Makefile#L33
Closed ghost closed 7 years ago
defuse
commented
7 years ago We're downloading (a different list) over HTTPS from GitHub now: https://github.com/defuse/passgen/blob/master/Makefile#L33
ghost
commented
7 years ago I wonder if I could get a CVE for this... 😉
Currently, the wordlist used is retrieved over bare HTTP from the following URL:
world.std.com/~reinhold/diceware.wordlist.ascThe server,
world.std.comdoes offer HTTPS, but the certificate expired in 2004 - so that's not helpful. My suggestion would be to move the file to a different server that does offer HTTPS to eliminate this issue. Perhaps via Github Pages or include it in this repo, and reference the file directly.Given the goal of the this application, downloading this file without any security or privacy seems like a bad idea.