[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Scripts that run insecurely-downloaded code

On Sat, 2 May 2020 10:14:13 +0200
Davide Prina <davide.prina@gmail.com> wrote:

> On 01/05/20 22:00, Rebecca N. Palmer wrote:
> > On 01/05/2020 20:31, Elmar Stellnberger wrote:
> >> https isn´t any more secure than http as long as you do not have a 
> >> verifiably trustworthy server certificate that you can check for. As 
> >> we know the certification authority system is totally broken.
> > 
> > Imperfect yes, but still better than nothing.
> 
> There is another problem: implementation. Not all the software that 
> implement HTTPS verify the validity of the certificate and the validity 
> of all the certification chain.

I am not a security expert, but see my argument here with the Debian
ssmtp maintainer over whether a package that advertises TLS
functionality but fails to check the received certificate (and does not
mention this anywhere in its documentation) should be considered to have
an 'important' bug ;)

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662960#51

Celejar
Reply to: