Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

Apache download links that says this site it's not secure

 
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi I'm new in security aspects and I'm trying to download an Apache tool named Axis2 for web services.

My problem is that when I click the download link a page saying this site it's not secure and then a few options are given to me, the one that says take me out and another that says I now what I'm doing, my question is that how a big site like Apache.org have this kinds of insecure download links?? and what should I do in this case should I download the file or I shouldn't.

Here's the link https://www.us.apache.org/dist//axis/axis2/java/core/1.6.3/axis2-1.6.3-bin.zip

Why Apache does this or it's something wrong with my web browser?
 
Ranch Hand
Posts: 417
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

www.us.apache.org uses an invalid security certificate. The certificate is only valid for *.apache.org (Error code: ssl_error_bad_cert_domain)


That certificate seems safe it's just that www.us.apache.org doesn't match *.apache.org. It matches *.*.apache.org. It happens all the time.

Just google for the fingerprint of the certificate:


It says:
https://www.apache.org/dev/machines.html (scroll down towards the end to "SSL Keys").

which seems ligit enough.

Disclaimer: Use at your own risk ;-)

Anyway, on top of that, you should check the signature of the package or at least some md5 or SHA sums confirming the package is ligit.





 
A.J. Côté
Ranch Hand
Posts: 417
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
IMHO, TLS (SSL) gives you a false sense of security anyway. I do not mind downloading public packages through plain http since there isn't anything to keep secret. The package is public anyway.

The important part security wise is to check the package signature. With apache, it is usually easy to guess. The following link gives you the package signature:


https://www.us.apache.org/dist//axis/axis2/java/core/1.6.3/axis2-1.6.3-bin.zip.asc

then:

$ gpg axis2-1.6.3-bin.zip.asc
gpg: assuming signed data in `axis2-1.6.3-bin.zip'
gpg: Signature made Sat 27 Jun 2015 07:08:05 PM EDT using RSA key ID EE08B906
gpg: Good signature from "Andreas Veithen (CODE SIGNING KEY) <veithen@apache.org>"
gpg: aka "Andreas Veithen <andreas.veithen@gmail.com>"
gpg: aka "Andreas Veithen (CODE SIGNING KEY) <andreas.veithen@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2D3C 43AC 36E5 BCFC 9696 F996 CE13 E82A EE08 B906

again verify the signer key:
google for:


it gives you:
https://people.apache.org/list_V.html

scrol down to Veithen:


Andreas VeithenHomepageGeographical Location

Projects:

Apache Axiom
Apache Axis2
Apache Synapse

PGP Keys:

ID: EE08B906 Fingerprint: 2D3C 43AC 36E5 BCFC 9696 F996 CE13 E82A EE08 B906

Weblogs

Andreas Veithen's blog



seems ligit. TLS (SSL) to transfer package gives you nothing if the the packages are public anyway.




 
    Bookmark Topic Watch Topic
  • New Topic