Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Should information like this be provided over an insecure HTTP connection?

    signify(1) pubkeys for this release:
    base: RWR0EANmo9nqhpPbPUZDIBcRtrVcRwQxZ8UKGWY8Ui4RHi229KFL84wV
    fw: RWT4e3jpYgSeLYs62aDsUkcvHR7+so5S/Fz/++B859j61rfNVcQTRxMw
    pkg: RWSPEf7Vpp2j0PTDG+eLs5L700nlqBFzEcSmHuv3ypVUEOYwso+UucXb


No.

Now you've learned a valuable lesson about asking a rhetorical question on the internet. None of the other responders knew the correct answer.


http://en.wikipedia.org/wiki/Public-key_cryptography


Eh, I think it's fine. I advocate for HTTPS everywhere but I don't think this particular bit of information is so sensitive as to demand encryption.


Public keys are intended to be public. So long as you're not transmitting them over the same connection as the one you're using them in, you're golden.


The point of HTTPS is not to hide things, it's to prevent tampering... Which seems relevant when transmitting checksums.


That problem can be solved by retrieving the key out of band. If you're that worried about it, use a VPN to verify that the key you're seeing is the right key. That will vastly increase the difficulty of pulling off a successful attack. They'd have to MitM both connections, as well as the connection you're using to download the software, in order to compromise it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: