Http instead of https being used for download links. #346
Comments
|
Note: this could totally have been an issue opened in the wrong place. But, ya' know, you only live once, right? |
|
Moved to probably the right place for this. |
|
UNLESS THIS IS THE RIGHT ONE? WHAT IS THIS PLACE? |
|
@picatz I am as confused as you are at this point... https://github.com/oneclick/rubyinstaller.org does not seem to match what's on the rubyinstaller.org website, so I'm not sure how to make a PR for the website to fix this issue. bintray.com seems to support https just fine, so it's only a matter of updating the links to use https instead of http, but where's the website source? cc @Azolo |
|
@picatz btw I made a PR to update the link to rubyinstaller.org on the ruby-lang site, ruby/www.ruby-lang.org#1514 Thanks! |
|
Awesome! |
|
All the download links in rubyinstaller.org are now https. |
|
Thanks! |
|
@luislavena sorry to bother you, is the source of rubyinstaller.org not on GitHub? The repo that is on GitHub does not seem to match the site 😕 |
|
@vais see conversation on this thread: #309 (comment) (starts at that comment with explanation of repos and current setup). |
|
Awesome, thank you @luislavena. And for what it's worth, we miss you and appreciate all you have done and continue to do despite having officially stepped away from the project quite a while ago. Again, thank you. |
How I insecurely installed ruby and why and things:
At the following url : ruby-lang.org/en/documentation/installation/#rubyinstaller there is a link to the ruby installer website. Note: unlike the link I have made for this issue, the ruby-lang.org website has the following link which is an "insecure" version of the ruby installer website because it's not bering served with https. This http version also seems to be the version I am directed to from the google index of "downloads" from what I can tell:
The following is a screenshot of what I'm talking about:
When you click on this link, you're taken to an insecure version of the ruby installer website. Note the lack of the green lock:
So, if I were to want to install ruby ( which I did ), I would be doing so via an insecure connection opening myself up to attacks. Moreover, the actual ruby installer website is serving their default download links with http as well ( from what I can tell ):
I've yet to do any testing to see how vulnerable this current setup is. But, knowing what I know about what should and shouldn't be served over https -- well, I just think these situations warrant it.
When I update or install packages with brew -- that seems to be done over https. I can configure apt to use https. Python's download page seems have all of its download links with https.
Perhaps I could just add a little s to the link from the downloads page to make it https?
http://dl.bintray.com/oneclick/rubyinstaller/rubyinstaller-2.3.1.exeI haven't tried. Just tried.
https://dl.bintray.com/oneclick/rubyinstaller/rubyinstaller-2.3.1.exeSeems to have worked just to the same.
I think it should be the default link to install if the option is there for an extra layer of security by default.
The text was updated successfully, but these errors were encountered: