View Issue Details

IDProjectCategoryView StatusLast Update
0000443bareos-core[All Projects] installer / packagespublic2015-03-31 14:55
ReporteraefAssigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status acknowledgedResolutionopen 
Product Version 
Fixed in Version 
Summary0000443: Download site not available through HTTPS
DescriptionBoth the Bareos main website ( https://www.bareos.org/ ) and the bug tracker ( https://bugs.bareos.org/ ) are available through HTTPS. Strangely enough, the domain which serves all the software packages and cryptographic OpenPGP keys for code signature verification ( https://download.bareos.org/ ) is NOT available through HTTPS.

An attacker could therefore easily send your customers different OpenPGP keys and/or manipulated software packages which could very well result in a complete compromise in that customer's IT infrastructure. After all, we are talking about an enterprise backup system that usually has full access to filesystems on machines it is deployed on.
Steps To Reproduce1. Visit https://download.bareos.org/
2. A TLS warning appears complaining about the fact that the used X.509 certificate is only valid for the domain www.bareos.org and not download.bareos.org.
Additional InformationSeriously, please fix this. Here are some possible solutions:

1. Install an additional certificate X.509 certificate for download.bareos.org.
2. Install a wildcard X.509 certificate which is valid for all the above-mentioned domains.
3. Serve your software packages and cryptographic OpenPGP keys through www.bareos.org.
TagsNo tags attached.
bareos-master: impact
bareos-master: action
bareos-19.2: impact
bareos-19.2: action
bareos-18.2: impact
bareos-18.2: action
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impact
bareos-16.2: action
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2015-03-24 02:54 aef New Issue
2015-03-31 10:46 pstorz Assigned To => pstorz
2015-03-31 10:46 pstorz Status new => acknowledged
2015-03-31 14:55 pstorz Assigned To pstorz =>