• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Apache download links that says this site it's not secure

 
Ranch Hand
Posts: 47
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi I'm new in security aspects and I'm trying to download an Apache tool named Axis2 for web services.

My problem is that when I click the download link a page saying this site it's not secure and then a few options are given to me, the one that says take me out and another that says I now what I'm doing, my question is that how a big site like Apache.org have this kinds of insecure download links?? and what should I do in this case should I download the file or I shouldn't.

Here's the link https://www.us.apache.org/dist//axis/axis2/java/core/1.6.3/axis2-1.6.3-bin.zip

Why Apache does this or it's something wrong with my web browser?
 
Ranch Hand
Posts: 417
Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

www.us.apache.org uses an invalid security certificate. The certificate is only valid for *.apache.org (Error code: ssl_error_bad_cert_domain)


That certificate seems safe it's just that www.us.apache.org doesn't match *.apache.org. It matches *.*.apache.org. It happens all the time.

Just google for the fingerprint of the certificate:


It says:
https://www.apache.org/dev/machines.html (scroll down towards the end to "SSL Keys").

which seems ligit enough.

Disclaimer: Use at your own risk ;-)

Anyway, on top of that, you should check the signature of the package or at least some md5 or SHA sums confirming the package is ligit.





 
A.J. Côté
Ranch Hand
Posts: 417
Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
IMHO, TLS (SSL) gives you a false sense of security anyway. I do not mind downloading public packages through plain http since there isn't anything to keep secret. The package is public anyway.

The important part security wise is to check the package signature. With apache, it is usually easy to guess. The following link gives you the package signature:


https://www.us.apache.org/dist//axis/axis2/java/core/1.6.3/axis2-1.6.3-bin.zip.asc

then:

$ gpg axis2-1.6.3-bin.zip.asc
gpg: assuming signed data in `axis2-1.6.3-bin.zip'
gpg: Signature made Sat 27 Jun 2015 07:08:05 PM EDT using RSA key ID EE08B906
gpg: Good signature from "Andreas Veithen (CODE SIGNING KEY) <veithen@apache.org>"
gpg: aka "Andreas Veithen <andreas.veithen@gmail.com>"
gpg: aka "Andreas Veithen (CODE SIGNING KEY) <andreas.veithen@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2D3C 43AC 36E5 BCFC 9696 F996 CE13 E82A EE08 B906

again verify the signer key:
google for:


it gives you:
https://people.apache.org/list_V.html

scrol down to Veithen:


Andreas VeithenHomepageGeographical Location

Projects:

Apache Axiom
Apache Axis2
Apache Synapse

PGP Keys:

ID: EE08B906 Fingerprint: 2D3C 43AC 36E5 BCFC 9696 F996 CE13 E82A EE08 B906

Weblogs

Andreas Veithen's blog



seems ligit. TLS (SSL) to transfer package gives you nothing if the the packages are public anyway.




 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic