Home
Search
Register
Log inRedirect to HTTPS on codecguide.com
2 posters
Page 1 of 1
Redirect to HTTPS on codecguide.com
by miken Sun Mar 25, 2018 7:30 pm
I've just noticed that "codecguide.com" does not redirect to the HTTPS version of the website even though there is one available.
It would be great if you could implement this, it's really simple. One example how to do so: https://infosec.mozilla.org/guidelines/web_security#http-redirections
Also I've noticed that when I use the K-Lite Update Checker and click on "Download installer" button this leads to the non-HTTPS version of "codecguide.com".
But even more importantly: Currently it's not possible to ensure that the downloaded files are valid and have not been tampered with.
Yes, there are hashsums visible on the download-page so you could check the correctness of the downloads (which sadly are not signed and also downloaded over HTTP only) but if you view this page via HTTP you can't know if the page has been intercepted.
Yes, this happens and in some countries actually is enforced via deep packet inspection middleboxes to redirect users of certain website to nation-state spyware if the website they visit and the download-link they use is being served over non-encrypted websites. Examples in this recent report of Citizen Lab are Avast Antivirus, CCleaner, Opera, and 7-Zip:
https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/ (yes, it's a long read but worth it)
So my suggestions would be:
Thank you for the continuous support of K-Lite over all the years!
It would be great if you could implement this, it's really simple. One example how to do so: https://infosec.mozilla.org/guidelines/web_security#http-redirections
Also I've noticed that when I use the K-Lite Update Checker and click on "Download installer" button this leads to the non-HTTPS version of "codecguide.com".
But even more importantly: Currently it's not possible to ensure that the downloaded files are valid and have not been tampered with.
Yes, there are hashsums visible on the download-page so you could check the correctness of the downloads (which sadly are not signed and also downloaded over HTTP only) but if you view this page via HTTP you can't know if the page has been intercepted.
Yes, this happens and in some countries actually is enforced via deep packet inspection middleboxes to redirect users of certain website to nation-state spyware if the website they visit and the download-link they use is being served over non-encrypted websites. Examples in this recent report of Citizen Lab are Avast Antivirus, CCleaner, Opera, and 7-Zip:
https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/ (yes, it's a long read but worth it)
So my suggestions would be:
- redirect the HTTP-version to HTTPS
- only download over HTTPS (if you have the money also use code signing)
- if you don't want to pay for a HTTPS-certificate, check out "Let’s Encrypt" (https://letsencrypt.org/), it even has wildcard certificate support
- implement HSTS (https://hstspreload.org/?domain=codecguide.com)
- check this guide by Mozilla to implement more secure headers (https://observatory.mozilla.org/analyze.html?host=codecguide.com)
- check all code-paths of K-Lite and replace HTTP-links with HTTPS-links
Thank you for the continuous support of K-Lite over all the years!
miken- Posts : 2
Join date : 2018-03-25
Re: Redirect to HTTPS on codecguide.com
by Admin Mon Mar 26, 2018 5:27 pm
The seconds download mirror now supports https.
Admin- Admin
- Posts : 7632
Join date : 2011-06-17 -
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum