Hi devs & site admins!
No https connection is possible to your portableapps.com website. So downloading isn't secured against modifying binaries while they fly by... Login passwords aren't confidential, too.
https throws the following error: "ssl_error_rx_record_too_long".
Is this intentional?
Furthermore no GnuPG signatures of the binaries are provided.
Is this good practise in the post-snowden era?
Greetz
MAK
I've come across this posting when searching for "hidden" settings that would enable the portableapps platform tool to connect using httpS - which seems not to be implemented yet.
I've added it to the bugtracker, maybe this helps.
Adding https isn't just a matter of buying a certificate. First, we need either a wildcard certificate or a half dozen separate certificates to cover all our subdomains used for the download network. Second, we need to configure our main website and our download servers to use https. Third, we need to pay ongoing monthly fees for our primary CDN used for images, our secondary download server, and our tertiary CDN download backup network in order to enable https on an ongoing basis. Typically, CDNs charge $100 and up per month per domain for SSL. That money would need to come from somewhere. Finally, the SourceForge downloads - the majority of open source downloads - would not be https as they run http. Switching those to our own servers would be a large outlay of cash for bandwidth.
As to GPG, it's pretty rare and not terribly useful on Windows. Of far more use is Windows code signing, which we have done for years. You can right-click on any of our installers/launchers and select the Digital Signatures tab to confirm. We're transitioning from SHA1 to combnined SHA1+SHA2 now as well to up our security and stay inline with Microsoft directives. (You can't go straight SHA2 without breaking Windows XP/Vista) Note that most freeware apps installers are not signed by us as we can't verify whether code within freeware apps is not malicious.
Also note that I removed your comment in the bug tracker as all comments are deleted from their once addressed, so replying here makes more sense as it will be preserved.
One update of note for those who have suggested "Let's Encrypt". While we are excited about the prospect for the overall internet, it's not a viable solution for anything except our own primary server. None of the large CDNs support it. None of our file download hosts support it. We could use it on our main server, but that's about it at the moment.
Sometimes, the impossible can become possible, if you're awesome!
You use sf.net to host packages and sourceforge can be accessible throug https. And you can fetch as many certs as you need for domains from letsencrypt/wosign/startssl.
What CDN are you use except sourceforge? Cloudflare have tricky free ssl or fully functional option for $20/month.
I think it's time to support https and ipv6 for the sake of progress and security reasons.
you know that the files are not manipulated while underway so why to bother so much?
The files are signed so where is the problem exactly?
Otto Sykora
Basel, Switzerland
lol okay