Bug 100824 - Dowload from https://www.libreoffice.org/download use unsecure http protocol
Summary: Dowload from https://www.libreoffice.org/download use unsecure http protocol
Status: RESOLVED MOVED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Installation (show other bugs)
Version:
(earliest affected)
unspecified
Hardware: All All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-09 13:49 UTC by tdelmas
Modified: 2016-07-12 18:07 UTC (History)
1 user (show)

See Also:
Crash report or crash signature:
Regression By:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description tdelmas 2016-07-09 13:49:56 UTC
Any software download should use https.

Using http you put users at risk installing malwares.
Comment 1 MM 2016-07-09 14:06:37 UTC
Well it *is* using https: (and not http:) as you also said in the report header. Dunno what unsecure protocol you're talking about.
Comment 2 tdelmas 2016-07-09 14:22:40 UTC
The link on the secure page https://www.libreoffice.org/download/libreoffice-fresh/ for "Download Version 5.1.4" use the unsecure HTTP protocol:

http://donate.libreoffice.org/fr/dl/win-x86/5.1.4/fr/LibreOffice_5.1.4_Win_x86.msi

It then redirect to the secure page https://donate.libreoffice.org/fr/dl/win-x86/5.1.4/fr/LibreOffice_5.1.4_Win_x86.msi

And launch download from the **insecure** HTTP link http://ftp.free.fr/mirrors/documentfoundation.org/libreoffice/stable/5.1.4/win/x86/LibreOffice_5.1.4_Win_x86.msi (no redirect to https this time!)

So the final download is NOT using https.
Comment 3 MM 2016-07-11 22:43:28 UTC
(In reply to tdelmas from comment #2)
 
> http://donate.libreoffice.org/fr/dl/win-x86/5.1.4/fr/LibreOffice_5.1.
> 4_Win_x86.msi
> 

> It then redirect to the secure page
> https://donate.libreoffice.org/fr/dl/win-x86/5.1.4/fr/LibreOffice_5.1.
> 4_Win_x86.msi
>

Well, atleast it's redirecting to a secure page. Which is a good thing.

> So the final download is NOT using https.

I see. But it's not a bug, as the link is working normally. You might wanna set it as enhancement.

This download site is secure: https://download.documentfoundation.org/libreoffice/ , but notice that a lot of ftp mirrors which distribute LO (including the ones on universities) across the world also aren't. Wanna make them all secure ?!
Comment 4 tdelmas 2016-07-11 22:57:54 UTC
(In reply to MM from comment #3)
> 
> I see. But it's not a bug, as the link is working normally. You might wanna
> set it as enhancement.
> 

You can call that an enhancement. I call the current situation a security hole. A MitM can use that to install malware. Some rogue tor node did it, it's not science fiction.

Using only https mirrors is one solution. Another one could be a small downloader, downloaded from the https official website, that download from mirrors/torrent and check the checksum before install.
Comment 5 Aron Budea 2016-07-12 00:33:02 UTC
Since this is related to the website, and not LibreOffice itself, could you open a ticket at https://redmine.documentfoundation.org/ ?
Comment 6 tdelmas 2016-07-12 10:29:06 UTC
(In reply to Aron Budea from comment #5)
> Since this is related to the website, and not LibreOffice itself, could you
> open a ticket at https://redmine.documentfoundation.org/ ?

Sure, no problem.

The ticket: https://redmine.documentfoundation.org/issues/1987
Comment 7 Aron Budea 2016-07-12 14:23:05 UTC
Thanks! Closing this, then.
Comment 8 Adolfo Jayme Barrientos 2016-07-12 18:07:54 UTC
For future reference: https://wiki.documentfoundation.org/QA/BugReport#Not_all_bugs_go_to_Bugzilla