Hi, Am 24.12.2014 um 12:09 schrieb Arnaud Jacques / SecuriteInfo.com: > Le mardi 23 décembre 2014, 10:56:37 Dennis Peterson a écrit : >> Second try: >> >> What problem are you trying to solve with https? > > Privacy.
I'd like to expand upon this. For the standard use-case using the official sources this might be irrelevant and actually present more draw-backs than advantages. But: just like the original poster we have a DB of "internal" signatures and we had to solve the exact same problem. We resolved not to use freshclam at all but rsync/sigUSR1 the updated signatures to our ~20k Servers. The problem is that http does not support privacy nor authenticity. Which means: 1. anyone can read the private signatures 2. anyone can meddle with them Afaict clamav still does not issue secodary certificates to sign private sets of signatures which would be another way to address the second point. > >> The data contain no secrets >> and are freely available to any who wish to have it, so the immediate >> effect of encryption is unneeded. This only applies to the "official" signatures. From context I'm guessing the original poster is not referring to those (hence the custom-url). > > Public information, but private usage. > I believe in this philosophy : https://www.eff.org/encrypt-the-web > >> Secondarily, https creates a greater >> server load to encrypt the data, > > With nowadays CPUs, that's not a problem > >> trusted SSL certs are an added expense, > > Trusted SSL is authentication of the serveur. Could be a good thing for > downloading high security tools, like antivirus signatures that protect your > network. > > Anyway, you can do SSL without trusting certificate. Even if it is a bad idea. > >> and the additional bandwidth is also not free - someone is paying for it. > > True. But this is not so important, according to > https://stackoverflow.com/questions/149274/http-vs-https-performance > > This link is interesting too : https://www.httpvshttps.com/ > > >> This seems to me to be a gratuitous use of https but I don't yet know your >> purpose for doing so. > > My idea is not replacing HTTP with HTTPS. It is just adding support for HTTPS > to freshclam. > Many website have switched from HTTP to SSL in the last years. I guess this > is > the natural evolution of the web. This is my opinion. > -- Torge Husfeldt Senior Anti-Abuse Engineer Abuse-Department 1&1 International 1&1 Internet Service GmbH | Brauerstraße 50 | 76135 Karlsruhe | Germany Phone: +49 721 91374-4795 E-Mail: torge.husfe...@1und1.de | Web: www.1und1.de Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 20141 Geschäftsführer: Frank Einhellinger, Uwe Lamnek, Jan Oetjen Member of United Internet Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie bitte den Absender und vernichten Sie diese E-Mail. Anderen als dem bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu speichern, weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient of this e-mail, you are hereby notified that saving, distribution or use of the content of this e-mail in any way is prohibited. If you have received this e-mail in error, please notify the sender and delete the e-mail. _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
