Ticket #491 (new defect)

Opened 3 years ago

Last modified 3 years ago

GPG key served over insecure http

Reported by: linus wallgren <linus.wallgren+telldus@…> Owned by:
Priority: major Milestone:
Component: other Version:
Keywords: Cc:
Blocked By: Blocking:
Platform: Linux Sensitive: no
Verified by Telldus: no


The current link in the wiki:  https://developer.telldus.com/wiki/TellStickInstallationUbuntu has the following link to the GPG key:


As you can obviously see it is served over http, meaning there is no way to verify that the file is actually served by telldus.

Change History

comment:1 Changed 3 years ago by daz jobb <stefan.persson@…>

We are currently in the process of moving the debian repository.

Meanwhile, (as always) verify the key fingerprint to assure that it's the correct key. It's also temporarily served over https here:  https://fw.telldus.com/telldus-public.key

comment:2 Changed 3 years ago by linus wallgren <linus.wallgren+telldus@…>

Thank you for that link (and a quick response!)

Regarding verifying the fingerprint, the same issue applies to the fingerprint, as it is listed on a page only served over http there is no way for me to trust the fingerprint itself.

comment:3 Changed 3 years ago by daz jobb <stefan.persson@…>

You are quite right, but that page is served over https too, I thought you were using that.

comment:4 Changed 3 years ago by linus wallgren <linus.wallgren+telldus@…>

Ah, I completely missed that, my bad, I guess the ticket can be closed in that case :)

Note: See TracTickets for help on using tickets.