-----BEGIN PGP SIGNED MESSAGE-----
Thanks for getting back to me, jitsi.org looks fine so far indeed. I
strongly urge you to make extra time to update download.jitsi.org, it's
extremely important that this software can be downloaded on an actual
secure session instead of an insecure one when someone is listening on
the wire, unfortunately, that's these things happen more often in this
world, depressive isn't it?
I see that some modifications were made to download.jitsi.org, it's not
perfect and still contains some issues, what's holding you back from
applying the other options? Is the server out of date? Perhaps it would
be a suggestion to install a recent Debian Wheezy to host as a download
Another thing that would be nice, but is not related to the SSL
deployment, is providing sha256sums of the packages. In addition to
that, I hope that the Jitsi project will consider signing their packages
so users could check whether that's an actual valid package provided by
the Jitsi developers.
Thanks so far, I appreciate you put some time in it already.
All the best,
Thanks for the note.
Jacob Appelbaum raised that same issue a few months ago but the server
didn't support it back then and we didn't get around to changing it
since the migration.
So, jitsi.org should be ok now:
We are currently investigating the options that we have for
download.jitsi.org. This may take a few weeks but we'll sort it out
Dear maintainers of Jitsi,
After the download.jitsi.org certificate expired and got replaced with a
new one, I ran some tests since I wanted to know what the SSL
infrastructure is like of Jitsi and if it needed to be improved to
ensure safe transfers of binaries 'download.jitsi.org' and visits to
'jitsi.org'. I would like to make sure and work together with the jitsi
sysop that we can deploy a safe SSL infrastructure to download material.
This needs to be resolved!
Disable SSL 2.0. Enable TLS 1.1 + 1.2, only use high/secure ciphers with
PFS and ECDHEChain issues ciphers if possible, add HSTS headers.
What would be a nice plus if certificate pinning could be added to
Chrome --> https://codereview.chromium.org/ this make's
eavesdropping/inserting a backdoored version of Jitsi a lot if harder.
I'm not subscribed to the list, i'm more then happy to help out, if you
email to the list, make sure to CC me.
All the best,
users mailing list
Unsubscribe instructions and other list options:
Give a man a fish and you feed him for a day; teach a man to fish and
you feed him for life.
On 05/23/2013 11:30 AM, Emil Ivov wrote:
On 22.05.13, 16:17, Jurre van Bergen wrote: