The existence of an unsecure element in an otherwise secure page is not
a trivial concern. It opens a hole in the TLS connection through which
an attacker might inject malicious code.
See Ivan Ristic's article, "HTTPS Mixed Content: Still the Easiest Way
to Break SSL":
So avoiding HTTPS mixed content is something that every website admin
should do, all the more so when that website distributes unsigned,
non-deterministic binaries of communications software, as does
With respect to Jitsi binaries being unsigned, this is an issue which I
think also needs addressing. Note that Tor Browser binaries are all
distributed along with the GnuPG signature of one of the Tor Project
At present, those who download Jitsi have no means of authenticating
that the binary they downloaded is identical to the file on the Jitsi
server. Shouldn't Jitsi binaries be cryptographically signed?
If this seems overly paranoid, recall that the jit.si servers were
compromised last year:
- George Maschke
Fernando Cassia wrote:
On Fri, Sep 12, 2014 at 3:57 PM, George Maschke <email@example.com> > wrote:
I also note that the individual download pages each contain unsecure
So what? it's a 16x16 logo!!!.
This kind of nitpicking irks me a lot. It's akin to someone who sells home
alarms doing an "audit' of a property and highlighting in their report that
the 3-inch vent holes lack security bars.
users mailing list
Unsubscribe instructions and other list options: