search

outroll / vesta

VESTA Control Panel
http://vestacp.com
GNU General Public License v3.0
2.98k stars 1.03k forks source link

Unsafe (http) install links #1959

Open bugchecker opened 5 years ago

bugchecker commented 5 years ago

Operating System (OS/VERSION):

Any

VestaCP Version:

Any

Installed Software (what you got with the installer):

Any

Steps to Reproduce:

Install Vesta

Related Issues/Forum Threads:

https://github.com/serghey-rodin/vesta/issues/1322

Other Notes:

Default way to install Vesta is:

# curl -O http://vestacp.com/pub/vst-install.sh
# bash vst-install.sh

But http is not safe protocol especially for software, running by root. I can manually replace vst-install.sh link to https, but there are other http links used by vst-install.sh. It's good idea to replace all install script links to https.

cypa commented 4 years ago

+1 Dear VestaCP developers, do you aware of MITM attack?

tlcd96 commented 4 years ago

@cypa, i'm not a developer (for this repo), but im almost sure that this was referred before... :/

cypa commented 4 years ago

a do agree with topic starter actually