milgra / macmediakeyforwarder

Media Key Forwarder for iTunes and Spotify
The Unlicense
1.26k stars 85 forks source link

Your site is not secure #84

Open JLLeitschuh opened 5 years ago

JLLeitschuh commented 5 years ago

Your site is serving the download for this app over HTTP instead of HTTPS. This is a security risk to your users. Please acquire a HTTPS certificate for your site.

You can get one for free from Let's Encrypt. https://letsencrypt.org/

alejandroivan commented 5 years ago

This is not a bug for the app.

JLLeitschuh commented 5 years ago

It's a bug in how this app is downloaded by all of it's users allowing them to be maliciously compromised via a MITM.

DCzajkowski commented 5 years ago

If anyone wants to verify, for me the md5 hash for a zip file for version 2.8 is

MD5 (MacMediaKeyForwarder2.8.zip) = 71b62e96a28fc42103266fe8192c86eb
michaelblyons commented 5 years ago

You can also get the SHA hash from the Homebrew Cask configuration. TLS would be a nice addition to see that nobody's getting MitMed. (e.g. What if the updater of the Cask config got a shady version and SHAed that?)

If I recall correctly, Debian packages are distributed over HTTP, but they're all signed with keys that either come preloaded or have to be explicitly installed. We don't quite have the infrastructure for that here. 😉

DCzajkowski commented 5 years ago

Setting up a https is not THAT easy, so for now it would be nice to at least have hashes in a different domain to mitigate aforementioned security concern at least somewhat