Open JLLeitschuh opened 5 years ago
Not sure which files you're referring to? The github version is available over https - the older version on sourceforge relies on whatever sourceforge does, but also looks like https?
This site's links are all HTTP not HTTPS:
http://jxplorer.org/downloads/users.html Also, the downloads site itself is only served over HTTP so the contents of that page could be manipulated via a MITM attack.
Ping!
sigh - the problem is that the jxplorer site is hosted on a truly ancient 'managed' server and it turns out it can't be hardened in-situ; they say I have to move the site to a new hosting environment - which is a bunch of work... the download links are all https, but I take your point about MITM attacks. The next time I update the site I'll move it I guess... :-/
Dr Christopher Betts Pegacat Aerospace Melbourne, Australia m: 61 408 533 456
On Sat, 4 May 2019 at 08:49, Jonathan Leitschuh notifications@github.com wrote:
Ping!
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/pegacat/jxplorer/issues/5#issuecomment-489263418, or mute the thread https://github.com/notifications/unsubscribe-auth/ADBGV4DYQ4DEDKWRWGWXYLLPTS6PFANCNFSM4GR6MVOA .
The only way to download the pre-build version of this tool from the website is over HTTP, not over HTTPS. This is fundamentally insecure and leaves you open to having your user's machine compromised by malicious code served to them during a MITM attack.