Xonotic Forums
SSL downloads and updater (Let's Encrypt) - Printable Version

+- Xonotic Forums (https://forums.xonotic.org)
+-- Forum: Community (https://forums.xonotic.org/forumdisplay.php?fid=6)
+--- Forum: Xonotic - General (https://forums.xonotic.org/forumdisplay.php?fid=18)
+--- Thread: SSL downloads and updater (Let's Encrypt) (/showthread.php?tid=7326)

SSL downloads and updater (Let's Encrypt) - Theoxenia - 04-01-2017

Hi there.
There's a thread Xonotic Virus that describes how trolls are using side channel attacks to irritate people. Given the recent IoQuake3 security issue, people might be concerned about security when downloading the Xonotic binary.
I notice that forums.xonotic.org has a Let's Encrypt Authority X3 certificate. 
* Would it be possible to make an SSL certificate for dl.xonotic.org using Let's Encrypt?
* If so, could you make the Rsync updater tool check for the SSL certificate when connecting to dl.xonotic.org ?
Thanks. Shy

RE: SSL downloads and updater (Let's Encrypt) - -z- - 04-02-2017

FWIW, the builds have verifiable hashes.

sha256sum: a22f7230f486c5825b55cfdadd73399c9b0fae98c9e081dd8ac76eca08359ad5

shasum: 9a1726e3d0d4e5e23c1e799734397c63e5df6ec9

MD5: 1bd46c1fb79aae42bb13e74f5a0ff46e

Package size: 946M

That being said, I believe in theory the engine can support https, because it's ultimately using curl lib, but the team will have to have a discussion.  I think it will be easy enough to add a proper cert to dl.xonotic.org, but we cannot force https on that... at least not yet. 

edit: https has been added, https://dl.xonotic.org/xonotic-0.8.2.zip

RE: SSL downloads and updater (Let's Encrypt) - sev - 04-02-2017

To add my two cents, while these hashsums are useful to verify
file integrity, they are not suitable for security purposes.
Nowadays, you need at least SHA256.

Also note that the hashsums cannot be considered safe
unless they themselves are signed or shared on a secure page.
An example for a signed hash file is provided by the openSUSE release.

RE: SSL downloads and updater (Let's Encrypt) - -z- - 04-02-2017

I've updated my post above with the sha256sum, and updated the download page as well. The closest I can do to a signed hash in the interim, is my commit, and Antibody accepting the merge request.

The team will talk about how to integrate these processes into our next release.  We appreciate your help, and feedback. Thanks.

RE: SSL downloads and updater (Let's Encrypt) - cefiar - 04-02-2017

I *think* that rsync over https won't work with the cygwin runtime files we've currently got for Windows. Namely, there's no cygwin libs for anything to do with SSL.

Those would also need to be provided (and updated if there's any security changes). Even then, not sure that rsync on cygwin is compiled to support https transport sources.

Digging a little further, I notice that one of the common ways to do this is to use stunnel, so for Windows users that would need to be provided, but it's a bit of a hack even then, and if stunnel breaks, you need to debug where the issue is.