[Deluge] #3155: [Security] [Feature request] Use HTTPS for Deluge binaries, source, and web registration page

Thu, 01 Feb 2018 12:15:47 -0800 

#3155: [Security] [Feature request] Use HTTPS for Deluge binaries, source, and 
web
registration page
-------------------------------------------------+-------------------------
 Reporter:  catball                              |      Owner:
     Type:  feature-request                      |     Status:  new
 Priority:  major                                |  Milestone:  not
                                                 |  applicable
Component:  Packaging                            |    Version:  other
 Keywords:  https, encryption, security,         |  (please specify)
  feature request                                |
-------------------------------------------------+-------------------------
 '''Feature request:'''

 Host Deluge website, binary downloads, source code, and bug tracker with
 HTTPS encryption.

 ----

 '''Why is this needed:'''

 Especially when downloading binaries or registering for an account on this
 website to report bugs, it is trivial for a man-in-the-middle attacker to
 substitute the Deluge binaries with their own malicious binaries.
 Likewise, when registering for an account to report bugs here, credentials
 are sent in clear HTTP and can be trivially sniffed over the network.

 ----

 '''How to fix:'''

 Thankfully it is presently easy and free to get certificates from CAs like
 Let's Encrypt (https://letsencrypt.org/) and tools like Certbot make it
 easy to request and use certs (https://certbot.eff.org/). A good starting
 point might be here: (https://letsencrypt.org/getting-started/)

 ----

 '''Ideal state:'''

 Ideally, all web elements of the deluge website deluge-torrent.org and all
 subdomains including dev.deluge-torrent.org and download.deluge-
 torrent.org should be encrypted.

 Additionally, providing checksums of Deluge binaries with a relatively
 secure hashing algorithm like SHA256 and/or PGP verification for files
 would be good, so users can verify their downloads.

--
Ticket URL: <http://dev.deluge-torrent.org/ticket/3155>
Deluge <http://deluge-torrent.org/>
Deluge Project

-- 
You received this message because you are subscribed to the Google Groups 
"Deluge Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/deluge-dev.
For more options, visit https://groups.google.com/d/optout.

Reply via email to