{"id":15458,"date":"2016-07-29T14:12:51","date_gmt":"2016-07-29T18:12:51","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=15458"},"modified":"2016-07-29T14:30:52","modified_gmt":"2016-07-29T18:30:52","slug":"dont-trust-sourceforge-downloads","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2016\/07\/29\/dont-trust-sourceforge-downloads\/","title":{"rendered":"Don&rsquo;t Trust Sourceforge Downloads"},"content":{"rendered":"<p><a href=\"https:\/\/glyph.twistedmatrix.com\/2016\/07\/dont-trust-sourceforge.html\">@glyph<\/a>:<\/p>\n<blockquote cite=\"https:\/\/glyph.twistedmatrix.com\/2016\/07\/dont-trust-sourceforge.html\">\n<p>In addition to injecting malware into their downloads (a practice they claim,\nhopefully truthfully, to have stopped), Sourceforge also presents an initial\ndownload page over HTTPS, <em>then redirects the user to HTTP for the download\nitself<\/em>, snatching defeat from the jaws of victory.  This is fantastically\nirresponsible, <em>especially<\/em> for a site offering un-sandboxed binaries for\ndownload, <em>especially<\/em> in the era of <a href=\"https:\/\/letsencrypt.org\">Let&rsquo;s Encrypt<\/a>\nwhere getting a TLS certificate takes\n<a href=\"https:\/\/txacme.readthedocs.io\/en\/latest\/using.html#server-endpoint-string\">approximately thirty seconds and exactly zero dollars<\/a>.<\/p>\n<\/blockquote>\n<p>Previously: <a href=\"http:\/\/mjtsai.com\/blog\/2015\/06\/04\/what-happened-to-sourceforge\/\">What Happened to SourceForge?<\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>@glyph: In addition to injecting malware into their downloads (a practice they claim, hopefully truthfully, to have stopped), Sourceforge also presents an initial download page over HTTPS, then redirects the user to HTTP for the download itself, snatching defeat from the jaws of victory. This is fantastically irresponsible, especially for a site offering un-sandboxed binaries [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[48,1209,96],"class_list":["post-15458","post","type-post","status-publish","format-standard","hentry","category-technology","tag-security","tag-sourceforge","tag-web"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/15458","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=15458"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/15458\/revisions"}],"predecessor-version":[{"id":15459,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/15458\/revisions\/15459"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=15458"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=15458"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=15458"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}