rgaudin
commented
2 years ago Ah pedantic comments ; my favorites 😉 Looking at it now but FYI, this repo is only for www.kiwix.org. For others (such as download here), tickets should be opened in kiwix/k8s
From a user:
"https://download.kiwix.org/release/kiwix-desktop/kiwix-desktop_x86_64.appimage redirects to http://download.kiwix.org/release/kiwix-desktop/kiwix-desktop_x86_64_2.2.1-2.appimage (which then redirects to https://ftp.fau.de/kiwix/release/kiwix-desktop/kiwix-desktop_x86_64_2.2.1-2.appimage ...).
Note the second url is HTTP and not HTTPS.
This means that there is no assurance of cryptographic authenticity of downloadsSo, a malicious actor sitting anywhere between the user and your webserver could rewrite the response to the intermediate non-https request and replace it with a maliciously-modified appimage, and users would be none the wiser.
For most users this is of little concern, but for users such as myself (who just downloaded kiwix via the Tor network, where some exit nodes are definitely malicious) this is a very real threat. It is also a very real threat (albeit one most don't think about) for users in many countries where your software is especially useful. There are in fact commercially available products used by many governments which can modify things like an ELF binary served over HTTP in real-time, without knowing what it is - so, a user could actually get a download that is a functioning version of kiwix but which also installs some surveillance malware from the local authorities.
Serving executable programs over HTTP was the norm a decade ago, but these days it is generally understood to be a bad idea. Please stop redirecting HTTPS links to HTTP"