Deluge
Opened 6 years ago
#3155 new feature-request
[Security] [Feature request] Use HTTPS for Deluge binaries, source, and web registration page
| Reported by: | catball | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | not applicable |
| Component: | Packaging | Version: | other (please specify) |
| Keywords: | https, encryption, security, feature request | Cc: | catleeball@… |
Description
Feature request:
Host Deluge website, binary downloads, source code, and bug tracker with HTTPS encryption.
Why is this needed:
Especially when downloading binaries or registering for an account on this website to report bugs, it is trivial for a man-in-the-middle attacker to substitute the Deluge binaries with their own malicious binaries. Likewise, when registering for an account to report bugs here, credentials are sent in clear HTTP and can be trivially sniffed over the network.
How to fix:
Thankfully it is presently easy and free to get certificates from CAs like Let's Encrypt (https://letsencrypt.org/) and tools like Certbot make it easy to request and use certs (https://certbot.eff.org/). A good starting point might be here: (https://letsencrypt.org/getting-started/)
Ideal state:
Ideally, all web elements of the deluge website deluge-torrent.org and all subdomains including dev.deluge-torrent.org and download.deluge-torrent.org should be encrypted.
Additionally, providing checksums of Deluge binaries with a relatively secure hashing algorithm like SHA256 and/or PGP verification for files would be good, so users can verify their downloads.
