Deluge
2018-02-01 20:15:24 UTC
#3155: [Security] [Feature request] Use HTTPS for Deluge binaries, source, and web
registration page
-------------------------------------------------+-------------------------
Reporter: catball | Owner:
Type: feature-request | Status: new
Priority: major | Milestone: not
| applicable
Component: Packaging | Version: other
Keywords: https, encryption, security, | (please specify)
feature request |
-------------------------------------------------+-------------------------
'''Feature request:'''
Host Deluge website, binary downloads, source code, and bug tracker with
HTTPS encryption.
----
'''Why is this needed:'''
Especially when downloading binaries or registering for an account on this
website to report bugs, it is trivial for a man-in-the-middle attacker to
substitute the Deluge binaries with their own malicious binaries.
Likewise, when registering for an account to report bugs here, credentials
are sent in clear HTTP and can be trivially sniffed over the network.
----
'''How to fix:'''
Thankfully it is presently easy and free to get certificates from CAs like
Let's Encrypt (https://letsencrypt.org/) and tools like Certbot make it
easy to request and use certs (https://certbot.eff.org/). A good starting
point might be here: (https://letsencrypt.org/getting-started/)
----
'''Ideal state:'''
Ideally, all web elements of the deluge website deluge-torrent.org and all
subdomains including dev.deluge-torrent.org and download.deluge-
torrent.org should be encrypted.
Additionally, providing checksums of Deluge binaries with a relatively
secure hashing algorithm like SHA256 and/or PGP verification for files
would be good, so users can verify their downloads.
--
Ticket URL: <http://dev.deluge-torrent.org/ticket/3155>
Deluge <http://deluge-torrent.org/>
Deluge Project
registration page
-------------------------------------------------+-------------------------
Reporter: catball | Owner:
Type: feature-request | Status: new
Priority: major | Milestone: not
| applicable
Component: Packaging | Version: other
Keywords: https, encryption, security, | (please specify)
feature request |
-------------------------------------------------+-------------------------
'''Feature request:'''
Host Deluge website, binary downloads, source code, and bug tracker with
HTTPS encryption.
----
'''Why is this needed:'''
Especially when downloading binaries or registering for an account on this
website to report bugs, it is trivial for a man-in-the-middle attacker to
substitute the Deluge binaries with their own malicious binaries.
Likewise, when registering for an account to report bugs here, credentials
are sent in clear HTTP and can be trivially sniffed over the network.
----
'''How to fix:'''
Thankfully it is presently easy and free to get certificates from CAs like
Let's Encrypt (https://letsencrypt.org/) and tools like Certbot make it
easy to request and use certs (https://certbot.eff.org/). A good starting
point might be here: (https://letsencrypt.org/getting-started/)
----
'''Ideal state:'''
Ideally, all web elements of the deluge website deluge-torrent.org and all
subdomains including dev.deluge-torrent.org and download.deluge-
torrent.org should be encrypted.
Additionally, providing checksums of Deluge binaries with a relatively
secure hashing algorithm like SHA256 and/or PGP verification for files
would be good, so users can verify their downloads.
--
Ticket URL: <http://dev.deluge-torrent.org/ticket/3155>
Deluge <http://deluge-torrent.org/>
Deluge Project
--
You received this message because you are subscribed to the Google Groups "Deluge Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to deluge-dev+***@googlegroups.com.
To post to this group, send email to deluge-***@googlegroups.com.
Visit this group at https://groups.google.com/group/deluge-dev.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "Deluge Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to deluge-dev+***@googlegroups.com.
To post to this group, send email to deluge-***@googlegroups.com.
Visit this group at https://groups.google.com/group/deluge-dev.
For more options, visit https://groups.google.com/d/optout.