#340: download links on getfedora should use https ------------------------+----------------------- Reporter: mattdm | Owner: webmaster Type: defect | Status: new Priority: major | Milestone: Component: getfedora | Keywords: Blocked By: | Blocking: ------------------------+----------------------- We have a general effort to use https to reduce risk of MITM attacks. Right now, the links like https://getfedora.org/en/cloud/download /download-cloud- splash?file=http://download.fedoraproject.org/pub/fedora/linux/releases/22/Cloud/x86_64/... /Fedora-Cloud-Atomic-22-20150521.x86_64.qcow2 use http — they should use HTTPS.
Thank you!
#340: download links on getfedora should use https -----------------------+------------------------ Reporter: mattdm | Owner: webmaster Type: defect | Status: new Priority: major | Milestone: Component: getfedora | Resolution: Keywords: | Blocked By: Blocking: | -----------------------+------------------------
Comment (by cydrobolt):
Updated the links, should sync out soon. Keep in mind we do not have control over the mirrors, so we cannot force them to use HTTPS, nor do we have control of mirrors serving bad data. Users will need to verify their images in order to ensure that they are correct.
#340: download links on getfedora should use https -----------------------+------------------------ Reporter: mattdm | Owner: webmaster Type: defect | Status: closed Priority: major | Milestone: Component: getfedora | Resolution: fixed Keywords: | Blocked By: Blocking: | -----------------------+------------------------ Changes (by robyduck):
* resolution: => fixed * status: new => closed
Comment:
Thanks cydrobolt, just added the changes also to the download splash to let them work with https.
The changes are now applied for every website, labs.fpo, arm.fpo and spins.fpo included.
#340: download links on getfedora should use https -----------------------+------------------------ Reporter: mattdm | Owner: webmaster Type: defect | Status: reopened Priority: major | Milestone: Component: getfedora | Resolution: Keywords: | Blocked By: Blocking: | -----------------------+------------------------ Changes (by kevin):
* resolution: fixed => * status: closed => reopened
Comment:
Note that this actually doesn't fix anything, it just 'kicks the can down the road'.
download.fedoraproject.org is a redirect via mirrormanager to a mirror. Those mirrors could well be using http.
So, all we did it made the redirect use https, but it just redirects you to a http mirror, so does that fix anything ?
Until/unless we get a way to tell mirrormanager "we only want https links" I don't think this is solved.
#340: download links on getfedora should use https -----------------------+------------------------ Reporter: mattdm | Owner: webmaster Type: defect | Status: reopened Priority: major | Milestone: Component: getfedora | Resolution: Keywords: | Blocked By: Blocking: | -----------------------+------------------------
Comment (by till):
IMHO this should probably be tracked in mirrormanager since there is nothing in the websites that can be done about this. Also one should not trust the mirrors as well, therefore the additional validation steps as outlined in https://getfedora.org/en/verify could be made more prominent.
#340: download links on getfedora should use https -----------------------+------------------------ Reporter: mattdm | Owner: webmaster Type: defect | Status: reopened Priority: major | Milestone: Component: getfedora | Resolution: Keywords: | Blocked By: Blocking: | -----------------------+------------------------
Comment (by robyduck):
I've sent this also to the [https://fedorahosted.org/mirrormanager/ticket/60 Mirrormanager trac].
#340: download links on getfedora should use https -----------------------+------------------------ Reporter: mattdm | Owner: webmaster Type: defect | Status: closed Priority: major | Milestone: Component: getfedora | Resolution: wontfix Keywords: | Blocked By: Blocking: | -----------------------+------------------------ Changes (by robyduck):
* status: reopened => closed * resolution: => wontfix
Comment:
Websites cannot do much here, I'm going to close the ticket, but feel free to reopen it on pagure if needed. Mirrormanager is probably a better option to talk to.
websites@lists.fedoraproject.org