[Bug 749481] Security of redirect to mirrors

From: "sysadmin" (GNOME Bugzilla) <bugzilla gnome org>
To: gnome-infrastructure gnome org
Subject: [Bug 749481] Security of redirect to mirrors
Date: Sun, 17 May 2015 20:44:19 +0000

Comment # 2 on bug 749481 from Marek Sebera

Hello Andrea,

thank you for your response.

1. That would be great for opt-in HTTPS only mirrors usage, in my opinion, it's
not necessary to switch to HTTPS ultimately (although it would be great),
especially for long-term support products with possible hard-coded HTTP usage
or for clients unable to verify the CA chain. However important is to keep the
security chain, which means, not redirect to HTTP from HTTPS, which should be
possible, as I don't see HSTS enabled on download.gnome.org subdomain

2. Yes, that is actually already being implemented in a way you suggested,
along with option to disable redirect to non-ssl mirror (which could be easily
checked if there is appropriately updated .mirrorlist file, in other cases,
that would require hard-coding or brute-force checking whether given mirror is
HTTPS enabled.

Given your response, do you think the information in .mirrorlist files will be
updated any soon, so we could base the decision logic on it? I.E. the
referenced WELCOME.msg.mirrorlist should contain HTTPS URLs if the mirror is
HTTPS enabled.

Possible would be also to update your mirror rating algorithm (which is now
strictly location-based I guess) to give higher priority to HTTPS enabled
mirrors, which would naturally push other mirrors to adopt the HTTP security
measures.

You are receiving this mail because:

You are watching the QA Contact of the bug.
You are watching the assignee of the bug.

References:
- [Bug 749481] New: Security of redirect to mirrors
  - From: sysadmin

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]