Page MenuHomeVyOS Platform

Packages server and downloads should be available via HTTPS
Closed, ResolvedPublicFEATURE REQUEST

Description

Original issue filed by @beamerblvd on 2015-04-25 in Bugzilla, copied here because it still has not been responded to and is still an issue:

VyOS is often installed on security-critical firewall hardware. Offering HTTP-only packages and HTTP-only downloads presents a security vulnerability. To that end:

Details

Difficulty level
Easy (less than an hour)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

Comment by @beamerblvd on 2016-01-24:

Please? HTTP downloads are not suitable to use on security-critical hardware.

syncer edited projects, added Infrastructure; removed VyOS 2.0.x, VyOS 1.1.x, VyOS 1.2 Crux.
syncer added a subscriber: syncer.

Should we just add letsencrypt ?

In T422#8426, @syncer wrote:

Should we just add letsencrypt ?

Seems appropriate to me.

On a slightly-related note, I was using the VyOS forums today, and trying to quote a message in my reply, but it wouldn't work. I looked at the JavaScript console and it's full of errors about non-secure JS and CSS resources' being requested from a secure page, and Chrome blocking them as a result. Seems like we've got some mixed content problems going on in the forums.

This begs the question about the mirror mechanism. My mirror supports TLS, but most don't.

syncer changed the task status from Open to In progress.Dec 19 2017, 7:57 PM

We should probably put in the mirror documentation that new mirrors must support TLS and existing mirrors are strongly urged to add support for TLS. However, to be clear, wanting a secure source for my downloads, I won't download from a mirror, because there's a lower level of trust. In fact, given a mirror with TLS and a the master source without TLS, I would chose the master source every time.

If you can at least get a strong hash sum of the ISO from the master, that should be sufficient regardless of where the binary is downloaded from. Of course, if the master is compromised, all bets are off.

That's true, I would use a TLS mirror with a SHA-256 hash from the master. But I'd also want the master to be TLS.

It will be sooner or later ;)

Awesome. :) Let me know if you ever need an extra pair of hands on the infrastructure front.

The downloads.vyos.io is now using mandatory HTTPS. On the dev.packages.vyos.net, HTTPS is optional. To declare this closed, we need someone to independently verify that ISO build works with HTTPS for them.

I didn't notice that this was still open, I can confirm the HTTPS method works as expected from VyOS 1.1.8 and later.

dmbaturin changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
dmbaturin set Is it a breaking change? to Perfectly compatible.