Skip to main content


Eclipse Community Forums

      Home
Home » Newcomers » Newcomers » why no update/download over https? security risk?
why no update/download over https? security risk? [message #1270367] Wed, 12 March 2014 19:09 Go to next message
Eclipse UserFriend
I just noticed that the main eclipse update site: http://download.eclipse.org/releases/kepler/ and the main download sources do not use encryption (ie. not HTTPS), so anybody could MITM (man in the middle) my downloads and I could be running compromised software that steals my code or worse. It seems kind of strange to me that an IDE used to create all manner of software, some of it very sensitive, does not have any security protection for downloaded new software, I can understand third party plugins not having encryption (even though they should) but the main eclipse update site?

Am I missing something here?

Re: why no update/download over https? security risk? [message #1271386 is a reply to message #1270367] Fri, 14 March 2014 21:36 Go to previous messageGo to next message
Eclipse UserFriend
On 03/13/2014 12:32 AM, under net wrote:
> I just noticed that the main eclipse update site:
> http://download.eclipse.org/releases/kepler/ and the main download
> sources do not use encryption (ie. not HTTPS), so anybody could MITM
> (man in the middle) my downloads and I could be running compromised
> software that steals my code or worse. It seems kind of strange to me
> that an IDE used to create all manner of software, some of it very
> sensitive, does not have any security protection for downloaded new
> software, I can understand third party plugins not having encryption
> (even though they should) but the main eclipse update site?
> Am I missing something here?

You do have the option of downloading a checksum'd version. Would that help?
Re: why no update/download over https? security risk? [message #1272789 is a reply to message #1271386] Tue, 18 March 2014 15:42 Go to previous messageGo to next message
Eclipse UserFriend
not really, if I was getting man-in-the-middle attacked the attacker could just send me a copy of the webpage/checksum file that matched his own compromised update Package/install file and I would not know the difference.

Using encryption prevents the attacker from inserting forged data period. Due to shared secret key and server certificates. You'd think that all the hype around security and surveillance ATM the eclipse admins would at least offer encryption as an option, although in my view it should be mandatory given the sensitive nature of the programs being downloaded.
Re: why no update/download over https? security risk? [message #1276797 is a reply to message #1272789] Mon, 24 March 2014 23:05 Go to previous message
Eclipse UserFriend
Each jar file in that directory is digitally signed *once* using a 4096-bit key. This allows Eclipse to verify authenticity while a) allowing us to use public mirrors and b) without incurring the overhead of encrypted channels for all.
Previous Topic:How to set eclipse plugins installation dir
Next Topic:Question: Eclipse Help search
Goto Forum:
  


Current Time: Sat Jun 14 23:31:26 EDT 2025

Powered by FUDForum. Page generated in 0.08448 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly