Ticket #491 (new defect)

Opened 21 months ago

Last modified 21 months ago

GPG key served over insecure http

Reported by: linus wallgren <linus.wallgren+telldus@…> Owned by:
Priority: major Milestone:
Component: other Version:
Keywords: Cc:
Blocked By: Blocking:
Platform: Linux Sensitive: no
Verified by Telldus: no

Description

The current link in the wiki:  https://developer.telldus.com/wiki/TellStickInstallationUbuntu has the following link to the GPG key:

 http://download.telldus.se/debian/telldus-public.key

As you can obviously see it is served over http, meaning there is no way to verify that the file is actually served by telldus.

Change History

comment:1 Changed 21 months ago by daz jobb <stefan.persson@…>

We are currently in the process of moving the debian repository.

Meanwhile, (as always) verify the key fingerprint to assure that it's the correct key. It's also temporarily served over https here:  https://fw.telldus.com/telldus-public.key

comment:2 Changed 21 months ago by linus wallgren <linus.wallgren+telldus@…>

Thank you for that link (and a quick response!)

Regarding verifying the fingerprint, the same issue applies to the fingerprint, as it is listed on a page only served over http there is no way for me to trust the fingerprint itself.

comment:3 Changed 21 months ago by daz jobb <stefan.persson@…>

You are quite right, but that page is served over https too, I thought you were using that.

comment:4 Changed 21 months ago by linus wallgren <linus.wallgren+telldus@…>

Ah, I completely missed that, my bad, I guess the ticket can be closed in that case :)

Note: See TracTickets for help on using tickets.