View Issue Details

IDProjectCategoryView StatusLast Update
0000443bareos-coreinstaller / packagespublic2015-03-31 14:55
Reporteraef Assigned To 
Status acknowledgedResolutionopen 
Summary0000443: Download site not available through HTTPS
DescriptionBoth the Bareos main website ( ) and the bug tracker ( ) are available through HTTPS. Strangely enough, the domain which serves all the software packages and cryptographic OpenPGP keys for code signature verification ( ) is NOT available through HTTPS.

An attacker could therefore easily send your customers different OpenPGP keys and/or manipulated software packages which could very well result in a complete compromise in that customer's IT infrastructure. After all, we are talking about an enterprise backup system that usually has full access to filesystems on machines it is deployed on.
Steps To Reproduce1. Visit
2. A TLS warning appears complaining about the fact that the used X.509 certificate is only valid for the domain and not
Additional InformationSeriously, please fix this. Here are some possible solutions:

1. Install an additional certificate X.509 certificate for
2. Install a wildcard X.509 certificate which is valid for all the above-mentioned domains.
3. Serve your software packages and cryptographic OpenPGP keys through
TagsNo tags attached.
bareos-master: impact
bareos-master: action
bareos-19.2: impact
bareos-19.2: action
bareos-18.2: impact
bareos-18.2: action
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impact
bareos-16.2: action
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2015-03-24 02:54 aef New Issue
2015-03-31 10:46 pstorz Assigned To => pstorz
2015-03-31 10:46 pstorz Status new => acknowledged
2015-03-31 14:55 pstorz Assigned To pstorz =>