moxie0
commented
12 years ago Updates are signed, the initial download is a leap of faith since you don't have Convergence installed yet. Yes, I'm being intentionally inflammatory. =)
Closed K-os closed 12 years ago
moxie0
commented
12 years ago Updates are signed, the initial download is a leap of faith since you don't have Convergence installed yet. Yes, I'm being intentionally inflammatory. =)
K-os
commented
12 years ago Thanks for the reply, although I still think weak security is better than none....
risicle
commented
10 years ago This is the sort of thing preventing me from installing convergence. Sure, PKI is not 100% secure, but having a valid certificate would raise the barrier for compromising convergence downloads. You could even get your certificate "pinned" in browsers.
Am I really supposed to trust a security related browser extension, that is being distributed via a website that does not even support HTTPS?
Even if you argue, that Convergence is supposed to deprecate the classic PKI model, I think the download location should at least provide HTTPS using a self signed certificate.
Steps to reproduce:
best regards, gabriel