-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of HTTP #176
Comments
Puppet itself supports HTTPS, but the underlying tools that puppet calls don't always support it (e.g. apt without the apt-transport-https plugin). The code you referenced is about 2 and a half years old, so I have no idea why it originally didn't use https (maybe Suse at the time didn't). I've gone ahead and changed it - hopefully someone that uses Suse will be able to test before releasing another copy the the forge. |
Thanks for the feedback. |
Greetings,
I am a security researcher, who is looking for security smells in Puppet scripts. I found instances where the HTTP protocol is used instead of HTTPS (HTTP with TLS). According to the Common Weakness Enumeration organization this is a security weakness (https://cwe.mitre.org/data/definitions/319.html). I was wondering why HTTP is used? Is it because of lack of tool support?
I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol. Maybe it is due to dependency on a resource that uses HTTP?
Any feedback is appreciated.
Source: https://github.com/pcfens/puppet-filebeat/blob/master/manifests/repo.pp (Line 57)
The text was updated successfully, but these errors were encountered: