Opened 15 months ago

#3155 new feature-request

[Security] [Feature request] Use HTTPS for Deluge binaries, source, and web registration page

Reported by: catball Owned by:
Priority: major Milestone: not applicable
Component: Packaging Version: other (please specify)
Keywords: https, encryption, security, feature request Cc: catleeball@…

Description

Feature request:

Host Deluge website, binary downloads, source code, and bug tracker with HTTPS encryption.


Why is this needed:

Especially when downloading binaries or registering for an account on this website to report bugs, it is trivial for a man-in-the-middle attacker to substitute the Deluge binaries with their own malicious binaries. Likewise, when registering for an account to report bugs here, credentials are sent in clear HTTP and can be trivially sniffed over the network.


How to fix:

Thankfully it is presently easy and free to get certificates from CAs like Let's Encrypt (https://letsencrypt.org/) and tools like Certbot make it easy to request and use certs (https://certbot.eff.org/). A good starting point might be here: (https://letsencrypt.org/getting-started/)


Ideal state:

Ideally, all web elements of the deluge website deluge-torrent.org and all subdomains including dev.deluge-torrent.org and download.deluge-torrent.org should be encrypted.

Additionally, providing checksums of Deluge binaries with a relatively secure hashing algorithm like SHA256 and/or PGP verification for files would be good, so users can verify their downloads.

Change History (0)

Note: See TracTickets for help on using tickets.