Discussion:
[webmin-l] Website/downloads not secure?
l***@sloop.net
2017-05-15 18:02:12 UTC
Permalink
I'm quite surprised that the webmin site and downloads aren't SSL/TLS secure. [And that you're still using MD5 for hashes?]

I know time is valuable and things get put off, but I'm exceptionally wary about downloading and/or installing from sources that aren't secure! How is it that webmin isn't doing this now?

[And I guess I should ask, is the update mechanism secure? It would be pretty trivial for someone to take over servers with a MITM "update" and download that wasn't secure.]
Could someone describe the update process, if you consider it secure?

-Greg
Jamie Cameron
2017-05-15 18:11:16 UTC
Permalink
Hi Greg,The actual package downloads are GPG signed, and Webmin will verify updates done from within the UI by checking the signature before installing. Also, the downloads from sourceforge are protected by SSL.

On 15/May/2017 11:02 ***@sloop.net wrote .. I'm quite surprised that the webmin site and downloads aren't SSL/TLS secure. [And that you're still using MD5 for hashes?] I know time is valuable and things get put off, but I'm exceptionally wary about downloading and/or installing from sources that aren't secure! How is it that webmin isn't doing this now? [And I guess I should ask, is the update mechanism secure? It would be pretty trivial for someone to take over servers with a MITM "update" and download that wasn't secure.] Could someone describe the update process, if you consider it secure? -Greg
Continue reading on narkive:
Loading...