Use HTTPS to reduce man-in-the-middle attack vector - Githubissues

joefitzgerald / packer-windows

Windows Packer Templates

MIT License

1.63k stars 1.12k forks source link

Use HTTPS to reduce man-in-the-middle attack vector #269

Closed dglinder closed 5 years ago

dglinder commented 5 years ago

The URL also works as "https://www.mls-software.com/files/setupssh-7.1p1-1.exe" so this would reduce potential for man-in-the-middle attacks compromising the build.

dragetd commented 5 years ago

I am kind of shocked to see that this is even a thing thoughout multiple points of the scripts. This is a high security risk. Searching for 'http:' shows some more results:

https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/compact.bat#L2

https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/compact.bat#L7

https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/puppet-enterprise.bat#L2

https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/puppet.bat#L2

https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/rsync.bat#L3

https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/rsync.bat#L8

https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/vm-guest-tools.bat#L2

https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/vm-guest-tools.bat#L18

https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/chef.bat#L2

https://github.com/joefitzgerald/packer-windows/blob/c4a111f4f95d311f37ec0f2ae545ffa5407597cb/scripts/openssh.ps1#L9

This is not good!