Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Permit no https #88

Open
leijurv opened this issue Feb 18, 2020 · 0 comments
Open

Permit no https #88

leijurv opened this issue Feb 18, 2020 · 0 comments
Labels
bug Something isn't working

Comments

@leijurv
Copy link
Member

leijurv commented Feb 18, 2020

Our security model doesn't require https, given the GPG signatures.

This crash https://pastebin.com/MrVQ0kb6 from https://discordapp.com/channels/208753003996512258/222120655594848256/679408095033688077 demonstrates that some people just have completely broken https certs. Minecraft's launcher gets around this and allows us to download from github though.

We use http for http://impactclient.net/releases.json, with a fallback to the https://api.github.com endpoint

But for the .json and .json.asc, it's just a https to github with no fallback. Just a gut feeling is that the github https should be the default not the fallback. Reasoning is that it maintains an accurate download count, and that the .json is fundamentally more theoretically attackable. For example, it could potentially crash the client by deserializing a large number of libraries idk. Again just a gut feeling.

Anyway, let's add like, idk, something like http://githubproxy.impactclient.net/Impact-4.8.3-1.13.2.json (note the http!) that proxies https://github.com/ImpactDevelopment/ImpactReleases/releases/download/4.8.3-1.13.2/Impact-4.8.3-1.13.2.json and same for .asc. We would NOT do this with the .jar, since that isn't fetched by the installer, and instead by the launcher.

I verified that this will work, because if you scroll down in that discord convo linked above, sending him the json worked, meaning that his installer was correctly able to fetch the .jar from the same https://github endpoint.

@leijurv leijurv added the bug Something isn't working label Feb 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant