macmediakeyforwarder icon indicating copy to clipboard operation
macmediakeyforwarder copied to clipboard

Published 20 hours ago verified publisher icon milgra

Your site is not secure

Open JLLeitschuh opened this issue 5 years ago • 5 comments

Your site is serving the download for this app over HTTP instead of HTTPS. This is a security risk to your users. Please acquire a HTTPS certificate for your site.

You can get one for free from Let's Encrypt. https://letsencrypt.org/

JLLeitschuh avatar Jun 28 '19 14:06 JLLeitschuh

This is not a bug for the app.

alejandroivan avatar Aug 27 '19 14:08 alejandroivan

It's a bug in how this app is downloaded by all of it's users allowing them to be maliciously compromised via a MITM.

JLLeitschuh avatar Aug 27 '19 16:08 JLLeitschuh

If anyone wants to verify, for me the md5 hash for a zip file for version 2.8 is

MD5 (MacMediaKeyForwarder2.8.zip) = 71b62e96a28fc42103266fe8192c86eb

DCzajkowski avatar Sep 07 '19 15:09 DCzajkowski

You can also get the SHA hash from the Homebrew Cask configuration. TLS would be a nice addition to see that nobody's getting MitMed. (e.g. What if the updater of the Cask config got a shady version and SHAed that?)

If I recall correctly, Debian packages are distributed over HTTP, but they're all signed with keys that either come preloaded or have to be explicitly installed. We don't quite have the infrastructure for that here. 😉

michaelblyons avatar Sep 18 '19 15:09 michaelblyons

Setting up a https is not THAT easy, so for now it would be nice to at least have hashes in a different domain to mitigate aforementioned security concern at least somewhat

DCzajkowski avatar Sep 19 '19 02:09 DCzajkowski