2017-09-28 19:56 GMT+03:00 Konstantin Kolinko <knst.koli...@gmail.com>: > 2017-09-26 11:57 GMT+03:00 Oliver Heister <oliverheis...@gmail.com>: >> 2. Currently MITM attacks by evil ISPs or WiFi networks are possible >> against people downloading tomcat from >> http://tomcat.apache.org/download-80.cgi . (The page has links to PGP, md5 >> and sha1 hashes for validation, but the links are on a http page that does >> not redirect to https. This means they could be replaced in case of MITM.) >> >> IMO a HTTP 301 redirect to the https version and HSTS headers should be >> added to http://tomcat.apache.org/ . > > The recommended way to validate releases it to check the PGP > signature, not the checksums. > > It is not so easy to compromise a PGP signature. You cannot generate a > new signature without having a key. > > > I think that HSTS is an overkill. > > Maybe update links to *.cgi pages (in menu and on the site) to use https:
I updated XSLT stylesheet that is used to generate the tomcat.apache.org site so that all links to *.cgi pages are automatically updated to use https://tomcat.apache.org. I also updated the links to archive.apache.org, blogs.apache.org, wiki.apache.org and ASF fundraising & sponsorship pages to use https. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
