Jump to content

williammlleslie

Members
  • Posts

    4
  • Joined

  • Last visited

Converted

  • Gender
    Undisclosed
  • Personal Text
    I am new!

williammlleslie's Achievements

Tree Puncher

Tree Puncher (2/8)

0

Reputation

  1. Thanks for your reply. This is both true and meaningless. I can't spoof your cert *and* have the trust chain check out unless I've directly copied it (including your public key). And if I've directly copied it, I can't use it to immitate you, because I don't have your private key. You seem to have a fundamental misunderstanding of how x509 certs work and I don't seem to be able to help you there, so maybe you can attempt the attack on your bank yourself sometime. If you have a theoretical MITM on TLS using a Gateway, I'd love to hear about it. The one recent example of this involved first installing a malcious CA on the client machine. In other words, the client (or OEM) installed the vulnerability themselves. It's not something that can be done to just anyone. Non-sequitur. Just because this guy exists, doesn't mean that the rest of us should have to download code that we're going to execute over an untrusted connection. Some people can't read an URL, that's true. Chrome does a much better job there than the other browsers at helping the user. But the demographic that are installing forge themselves likely can. I didn't ask you to do anything about other modders. I asked you how we can get the official Forge download to be secure. THIS page: http://files.minecraftforge.net/ I understand you don't control the content provider (ad.fly), which is why I suggested file hashes, but that is less than ideal. The best you could do is HTTPS*, and it's just not that hard. I'm not entirely sure why I'm the first to bring this up to you - I suppose other technical users are just using github.
  2. Not at all. These are the assumptions that were made when designing HTTPS. Well, ideally you wouldn't use a self-signed certificate, but like I said, it's better than what you have at the moment. Remember that me having a copy of your certificate does not allow me to impersonate you: although it may verify, without your private key (which you do not give out) there's no way for me to complete the TLS handshake. Pages cannot be usefully injected when they use HTTPS. Unless you're from the future and know about something those of us in the industry don't, the only thing you can inject into a TLS connection without having the session key is garbage. I would enjoy you splaining to me how the mechanism we've been using to secure the internet for decades now does not work.
  3. I am talking about Forge itself, not individual mods. > TLDR: Only download from trusted sources. That's the point - typing minecraftforge.net into the url bar does not guarantee that you're looking at the real minecraftforge.net. You hope it does, but it's possible to spoof if you've got low enough latency to the client (or if you pwn a gateway server). So that's the problem: how do I get a server that I can trust? Even https with a self-signed cert would be *something*, because I could verify that minecraftforge.net is the same minecraftforge.net that I visited last time.
  4. How could we make it possible to verify that what we download is what the developers wrote? Using github is one way, but it would be nice if this was possible for releases too. I mean, it's quite scary running code downloaded from the internet already - we have to trust the people that made the release - but we could at least eliminate adfly or a MITM messing with the jars. I would suggest moving the download page to https and providing embedded md5 and sha1 sums. How do we do this?
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.