alejandroivan
commented
5 years ago This is not a bug for the app.
Open JLLeitschuh opened 5 years ago
alejandroivan
commented
5 years ago This is not a bug for the app.
JLLeitschuh
commented
5 years ago It's a bug in how this app is downloaded by all of it's users allowing them to be maliciously compromised via a MITM.
DCzajkowski
commented
5 years ago If anyone wants to verify, for me the md5 hash for a zip file for version 2.8 is
MD5 (MacMediaKeyForwarder2.8.zip) = 71b62e96a28fc42103266fe8192c86eb
michaelblyons
commented
5 years ago You can also get the SHA hash from the Homebrew Cask configuration. TLS would be a nice addition to see that nobody's getting MitMed. (e.g. What if the updater of the Cask config got a shady version and SHAed that?)
If I recall correctly, Debian packages are distributed over HTTP, but they're all signed with keys that either come preloaded or have to be explicitly installed. We don't quite have the infrastructure for that here. 😉
DCzajkowski
commented
5 years ago Setting up a https is not THAT easy, so for now it would be nice to at least have hashes in a different domain to mitigate aforementioned security concern at least somewhat
Your site is serving the download for this app over HTTP instead of HTTPS. This is a security risk to your users. Please acquire a HTTPS certificate for your site.
You can get one for free from Let's Encrypt. https://letsencrypt.org/