Feature #10575
Serve UUI with HTTPS through Gitweb
100%
Description
Now that we have https://git-tails.immerda.ch/uui-binary we could serve UUI with HTTPS through Gitweb. This would protect our users from simple MitM.
Subtasks
History
#1 Updated by sajolida 2015-11-27 12:00:50
- Assignee changed from sajolida to tchou
- QA Check set to Ready for QA
- Feature Branch set to web/10575-uui-gitweb
#2 Updated by tchou 2015-12-07 13:56:36
- Assignee changed from tchou to sajolida
- QA Check changed from Ready for QA to Info Needed
I’m not shure to understand this point, about “simple MitM attacks”, why would it be more difficult ? More difficult than what (riseup ?).
#3 Updated by sajolida 2015-12-08 07:35:52
- Assignee changed from sajolida to tchou
- QA Check changed from Info Needed to Ready for QA
Currently UUI is served from pendrivelinux.com on HTTP only (see Feature #8932). Serving it from git-tails.immerda.ch provide HTTPS (and thus authentication) to the download. Currently, doing a man-in-the-middle on pendrivelinux.com requires being anywhere on the route to pendrivelinux.com (or redirecting this route), without any need for authentication. Doing a man-in-the-middle on git-tails.immeda.ch would also require having a fake but valid SSL certificate for immerda.ch.
#4 Updated by tchou 2015-12-12 02:56:53
- QA Check changed from Ready for QA to Pass
The commit was from riseup to immerdia, that’s why I did not get the difference for security issues. I thought maybe I missed https specific issues.
#5 Updated by tchou 2015-12-12 02:58:42
- Assignee changed from tchou to sajolida
#6 Updated by sajolida 2015-12-16 09:53:24
Now I understand your confusion. And you’re right, there’s no different in security between the HTTPS of riseup and immerda. But moving to Git will make it easier to maintain and provide permanent links.
I’m merging this then!
#7 Updated by sajolida 2015-12-16 09:53:48
- Status changed from Confirmed to Resolved
- % Done changed from 0 to 100
Applied in changeset commit:5f4d84605a7d6e5b9c3da12ea706ab4f2b66ff07.
#8 Updated by sajolida 2015-12-16 09:54:20
- Assignee deleted (
sajolida) - QA Check deleted (
Pass)