You are here

https and signatures for portableapps.com website and software

6 posts / 0 new
Last post
mak77
Offline
Last seen: 9 years 7 months ago
Joined: 2014-08-26 08:16
https and signatures for portableapps.com website and software

Hi devs & site admins!

No https connection is possible to your portableapps.com website. So downloading isn't secured against modifying binaries while they fly by... Login passwords aren't confidential, too.
https throws the following error: "ssl_error_rx_record_too_long".
Is this intentional?

Furthermore no GnuPG signatures of the binaries are provided.
Is this good practise in the post-snowden era?

Greetz
MAK

MarekK
Offline
Last seen: 6 years 5 months ago
Joined: 2015-12-30 06:38
thumbs up!

I've come across this posting when searching for "hidden" settings that would enable the portableapps platform tool to connect using httpS - which seems not to be implemented yet.
I've added it to the bugtracker, maybe this helps.

John T. Haller
John T. Haller's picture
Offline
Last seen: 1 hour 14 min ago
AdminDeveloperModeratorTranslator
Joined: 2005-11-28 22:21
Expense, Digital Signatures

Adding https isn't just a matter of buying a certificate. First, we need either a wildcard certificate or a half dozen separate certificates to cover all our subdomains used for the download network. Second, we need to configure our main website and our download servers to use https. Third, we need to pay ongoing monthly fees for our primary CDN used for images, our secondary download server, and our tertiary CDN download backup network in order to enable https on an ongoing basis. Typically, CDNs charge $100 and up per month per domain for SSL. That money would need to come from somewhere. Finally, the SourceForge downloads - the majority of open source downloads - would not be https as they run http. Switching those to our own servers would be a large outlay of cash for bandwidth.

As to GPG, it's pretty rare and not terribly useful on Windows. Of far more use is Windows code signing, which we have done for years. You can right-click on any of our installers/launchers and select the Digital Signatures tab to confirm. We're transitioning from SHA1 to combnined SHA1+SHA2 now as well to up our security and stay inline with Microsoft directives. (You can't go straight SHA2 without breaking Windows XP/Vista) Note that most freeware apps installers are not signed by us as we can't verify whether code within freeware apps is not malicious.

Also note that I removed your comment in the bug tracker as all comments are deleted from their once addressed, so replying here makes more sense as it will be preserved.

One update of note for those who have suggested "Let's Encrypt". While we are excited about the prospect for the overall internet, it's not a viable solution for anything except our own primary server. None of the large CDNs support it. None of our file download hosts support it. We could use it on our main server, but that's about it at the moment.

Sometimes, the impossible can become possible, if you're awesome!

makearequest
Offline
Last seen: 3 years 1 week ago
Joined: 2013-02-11 06:34
You use sf.net to host

You use sf.net to host packages and sourceforge can be accessible throug https. And you can fetch as many certs as you need for domains from letsencrypt/wosign/startssl.

What CDN are you use except sourceforge? Cloudflare have tricky free ssl or fully functional option for $20/month.

I think it's time to support https and ipv6 for the sake of progress and security reasons.

ottosykora
Offline
Last seen: 1 hour 25 min ago
Joined: 2007-10-11 17:48
what for?

you know that the files are not manipulated while underway so why to bother so much?
The files are signed so where is the problem exactly?

Otto Sykora
Basel, Switzerland

makearequest
Offline
Last seen: 3 years 1 week ago
Joined: 2013-02-11 06:34
lol okay

lol okay

Log in or register to post comments