We have a general effort to use https to reduce risk of MITM attacks. Right now, the links like https://getfedora.org/en/cloud/download/download-cloud-splash?file=http://download.fedoraproject.org/pub/fedora/linux/releases/22/Cloud/x86_64/Images/Fedora-Cloud-Atomic-22-20150521.x86_64.qcow2 use http — they should use HTTPS.
Thank you!
Updated the links, should sync out soon. Keep in mind we do not have control over the mirrors, so we cannot force them to use HTTPS, nor do we have control of mirrors serving bad data. Users will need to verify their images in order to ensure that they are correct.
Thanks cydrobolt, just added the changes also to the download splash to let them work with https.
The changes are now applied for every website, labs.fpo, arm.fpo and spins.fpo included.
Note that this actually doesn't fix anything, it just 'kicks the can down the road'.
download.fedoraproject.org is a redirect via mirrormanager to a mirror. Those mirrors could well be using http.
So, all we did it made the redirect use https, but it just redirects you to a http mirror, so does that fix anything ?
Until/unless we get a way to tell mirrormanager "we only want https links" I don't think this is solved.
IMHO this should probably be tracked in mirrormanager since there is nothing in the websites that can be done about this. Also one should not trust the mirrors as well, therefore the additional validation steps as outlined in https://getfedora.org/en/verify could be made more prominent.
I've sent this also to the [https://fedorahosted.org/mirrormanager/ticket/60 Mirrormanager trac].
Websites cannot do much here, I'm going to close the ticket, but feel free to reopen it on pagure if needed. Mirrormanager is probably a better option to talk to.
Login to comment on this ticket.