use http for stream mirror, not https

Bug #1582836 reported by Scott Moser on 2016-05-17
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Critical
Unassigned

Bug Description

under bug 1566848 and merge at https://code.launchpad.net/~ltrager/maas/xenial_default/+merge/291210 there was a change from http to https with no description as to why.

since stream data is gpg signed and the gpg key delivered through the apt archive the images are securely transmitted (without encryption) over insecure https, and their content is correctly verified before use by maas.

https provides very little value here even by encrypting the content as any eavesdropper could still see that you were doing traffic to maas.io , and there is not much other reason for traffic to maas.io other than getting maas images.

http allows for caching proxies along the way to do what they do well.

Related branches

Mike Pontillo (mpontillo) wrote :

I think this is a critical issue because it also prevents customers from creating a mirror by means of a DNS man-in-the-middle.

Changed in maas:
status: New → Triaged
importance: Undecided → Critical
milestone: none → 2.0.0
Mike Pontillo (mpontillo) wrote :

I am changing the default URL anyway for https://code.launchpad.net/~mpontillo/maas/fresh-images/+merge/294926 so I'll address this at the same time.

Changed in maas:
status: Triaged → Fix Committed
Changed in maas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers