Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Newcomers » Newcomers » why no update/download over https? security risk?
why no update/download over https? security risk? [message #1270367] Wed, 12 March 2014 23:09 Go to next message
under net is currently offline under netFriend
Messages: 3
Registered: March 2014
Junior Member
I just noticed that the main eclipse update site: http://download.eclipse.org/releases/kepler/ and the main download sources do not use encryption (ie. not HTTPS), so anybody could MITM (man in the middle) my downloads and I could be running compromised software that steals my code or worse. It seems kind of strange to me that an IDE used to create all manner of software, some of it very sensitive, does not have any security protection for downloaded new software, I can understand third party plugins not having encryption (even though they should) but the main eclipse update site?

Am I missing something here?

Re: why no update/download over https? security risk? [message #1271386 is a reply to message #1270367] Sat, 15 March 2014 01:36 Go to previous messageGo to next message
Russell Bateman is currently offline Russell BatemanFriend
Messages: 3265
Registered: July 2009
Location: Provo, Utah, USA
Senior Member

On 03/13/2014 12:32 AM, under net wrote:
> I just noticed that the main eclipse update site:
> http://download.eclipse.org/releases/kepler/ and the main download
> sources do not use encryption (ie. not HTTPS), so anybody could MITM
> (man in the middle) my downloads and I could be running compromised
> software that steals my code or worse. It seems kind of strange to me
> that an IDE used to create all manner of software, some of it very
> sensitive, does not have any security protection for downloaded new
> software, I can understand third party plugins not having encryption
> (even though they should) but the main eclipse update site?
> Am I missing something here?

You do have the option of downloading a checksum'd version. Would that help?
Re: why no update/download over https? security risk? [message #1272789 is a reply to message #1271386] Tue, 18 March 2014 19:42 Go to previous messageGo to next message
under net is currently offline under netFriend
Messages: 3
Registered: March 2014
Junior Member
not really, if I was getting man-in-the-middle attacked the attacker could just send me a copy of the webpage/checksum file that matched his own compromised update Package/install file and I would not know the difference.

Using encryption prevents the attacker from inserting forged data period. Due to shared secret key and server certificates. You'd think that all the hype around security and surveillance ATM the eclipse admins would at least offer encryption as an option, although in my view it should be mandatory given the sensitive nature of the programs being downloaded.
Re: why no update/download over https? security risk? [message #1276797 is a reply to message #1272789] Tue, 25 March 2014 03:05 Go to previous message
Denis Roy is currently offline Denis RoyFriend
Messages: 357
Registered: October 2004
Location: Ottawa, Ontario, Canada
Senior Member

Each jar file in that directory is digitally signed *once* using a 4096-bit key. This allows Eclipse to verify authenticity while a) allowing us to use public mirrors and b) without incurring the overhead of encrypted channels for all.

Denis Roy
Eclipse Webmaster -- webmaster@eclipse.org
Previous Topic:How to set eclipse plugins installation dir
Next Topic:Question: Eclipse Help search
Goto Forum:
  


Current Time: Fri Dec 19 21:54:41 GMT 2014

Powered by FUDForum. Page generated in 0.10432 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software