search

pegacat / jxplorer

A free java ldap client with LDIF support, security (inc SSL, SASL & GSSAPI), translated into many languages (inc. Chinese), online help, user forms and many other features.
Other
97 stars 28 forks source link

Offer download over HTTPS #5

Open JLLeitschuh opened 5 years ago

JLLeitschuh commented 5 years ago

The only way to download the pre-build version of this tool from the website is over HTTP, not over HTTPS. This is fundamentally insecure and leaves you open to having your user's machine compromised by malicious code served to them during a MITM attack.

pegacat commented 5 years ago

Not sure which files you're referring to? The github version is available over https - the older version on sourceforge relies on whatever sourceforge does, but also looks like https?

JLLeitschuh commented 5 years ago

This site's links are all HTTP not HTTPS:

http://jxplorer.org/downloads/users.html Also, the downloads site itself is only served over HTTP so the contents of that page could be manipulated via a MITM attack.

JLLeitschuh commented 5 years ago

Ping!

pegacat commented 5 years ago

sigh - the problem is that the jxplorer site is hosted on a truly ancient 'managed' server and it turns out it can't be hardened in-situ; they say I have to move the site to a new hosting environment - which is a bunch of work... the download links are all https, but I take your point about MITM attacks. The next time I update the site I'll move it I guess... :-/

Dr Christopher Betts Pegacat Aerospace Melbourne, Australia m: 61 408 533 456

On Sat, 4 May 2019 at 08:49, Jonathan Leitschuh notifications@github.com wrote:

Ping!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/pegacat/jxplorer/issues/5#issuecomment-489263418, or mute the thread https://github.com/notifications/unsubscribe-auth/ADBGV4DYQ4DEDKWRWGWXYLLPTS6PFANCNFSM4GR6MVOA .