100824 – Dowload from https://www.libreoffice.org/download use unsecure http protocol

Bug 100824 - Dowload from https://www.libreoffice.org/download use unsecure http protocol

Summary: Dowload from https://www.libreoffice.org/download use unsecure http protocol

Status:	RESOLVED MOVED

Alias:	None

Product:	LibreOffice
Classification:	Unclassified
Component:	Installation (show other bugs)
Version: (earliest affected)	unspecified
Hardware:	All All

Importance:	medium normal
Assignee:	Not Assigned

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-07-09 13:49 UTC by tdelmas
Modified:	2016-07-12 18:07 UTC (History)
CC List:	1 user (show)

See Also:
Crash report or crash signature:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description tdelmas 2016-07-09 13:49:56 UTC

Any software download should use https.

Using http you put users at risk installing malwares.

Comment 1 MM 2016-07-09 14:06:37 UTC

Well it *is* using https: (and not http:) as you also said in the report header. Dunno what unsecure protocol you're talking about.

Comment 2 tdelmas 2016-07-09 14:22:40 UTC

The link on the secure page https://www.libreoffice.org/download/libreoffice-fresh/ for "Download Version 5.1.4" use the unsecure HTTP protocol:

http://donate.libreoffice.org/fr/dl/win-x86/5.1.4/fr/LibreOffice_5.1.4_Win_x86.msi

It then redirect to the secure page https://donate.libreoffice.org/fr/dl/win-x86/5.1.4/fr/LibreOffice_5.1.4_Win_x86.msi

And launch download from the **insecure** HTTP link http://ftp.free.fr/mirrors/documentfoundation.org/libreoffice/stable/5.1.4/win/x86/LibreOffice_5.1.4_Win_x86.msi (no redirect to https this time!)

So the final download is NOT using https.

Comment 3 MM 2016-07-11 22:43:28 UTC

(In reply to tdelmas from comment #2)
 
> http://donate.libreoffice.org/fr/dl/win-x86/5.1.4/fr/LibreOffice_5.1.
> 4_Win_x86.msi
> 

> It then redirect to the secure page
> https://donate.libreoffice.org/fr/dl/win-x86/5.1.4/fr/LibreOffice_5.1.
> 4_Win_x86.msi
>

Well, atleast it's redirecting to a secure page. Which is a good thing.

> So the final download is NOT using https.

I see. But it's not a bug, as the link is working normally. You might wanna set it as enhancement.

This download site is secure: https://download.documentfoundation.org/libreoffice/ , but notice that a lot of ftp mirrors which distribute LO (including the ones on universities) across the world also aren't. Wanna make them all secure ?!

Comment 4 tdelmas 2016-07-11 22:57:54 UTC

(In reply to MM from comment #3)
> 
> I see. But it's not a bug, as the link is working normally. You might wanna
> set it as enhancement.
> 

You can call that an enhancement. I call the current situation a security hole. A MitM can use that to install malware. Some rogue tor node did it, it's not science fiction.

Using only https mirrors is one solution. Another one could be a small downloader, downloaded from the https official website, that download from mirrors/torrent and check the checksum before install.

Comment 5 Aron Budea 2016-07-12 00:33:02 UTC

Since this is related to the website, and not LibreOffice itself, could you open a ticket at https://redmine.documentfoundation.org/ ?

Comment 6 tdelmas 2016-07-12 10:29:06 UTC

(In reply to Aron Budea from comment #5)
> Since this is related to the website, and not LibreOffice itself, could you
> open a ticket at https://redmine.documentfoundation.org/ ?

Sure, no problem.

The ticket: https://redmine.documentfoundation.org/issues/1987

Comment 7 Aron Budea 2016-07-12 14:23:05 UTC

Thanks! Closing this, then.

Comment 8 Adolfo Jayme Barrientos 2016-07-12 18:07:54 UTC

For future reference: https://wiki.documentfoundation.org/QA/BugReport#Not_all_bugs_go_to_Bugzilla