[QScintilla] Insecure SourceForge downloads
Dionysis Zindros
dionyziz at gmail.com
Thu Aug 18 14:57:40 BST 2016
Hi list,
The default source download for QScintilla is here:
https://www.riverbankcomputing.com/software/qscintilla/download
The source download redirects to SourceForge, which offers downloads
via HTTP, not HTTPS. For example, one of the mirrors I was just
redirected to is:
http://netcologne.dl.sourceforge.net/project/pyqt/QScintilla2/QScintilla-2.9.3/QScintilla_gpl-2.9.3.tar.gz
You can take a look at the redirect yourself:
http://sourceforge.net/projects/pyqt/files/QScintilla2/QScintilla-2.9.2/QScintilla_gpl-2.9.2.tar.gz
This means that the download is unauthenticated and a network attacker
can modify the source on the network using trivial man-in-the-middle
techniques, leading to serious security problems. This attack is cheap
and easy to perform.
I'm working on improving the security of the installation sonic-pi,
which depends on QScintilla and needs to download these sources:
https://github.com/samaaron/sonic-pi/blob/master/app/gui/qt/build-osx-app#L18
The rationale behind moving away from SourceForge can be described in
more detail here:
http://blog.gluster.org/2013/08/how-far-the-once-mighty-sourceforge-has-fallen/
For this reason, we recommend you move your source downloads away from
SourceForge and into a more secure platform. I have spoken to
SourceForge last year about these issues and after five attempts of
communicating with them and several back-and-forth discussions with
their Ops team, they do not seem to be cooperative or willing to move
to SSL. However, I am Cc'ing their Ops in this e-mail to give them a
fair chance to respond for the sixth time.
As for a platform to move to, I suggest GitHub, as it offers HTTPS
downloads among others.
What is the list's opinion on performing such a migration? If we
decide to do it, what are the necessary steps to go ahead with this?
Best,
Dionysis Zindros.
More information about the QScintilla
mailing list