This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 267490 - No secure way of downloading NetBeans provided on netbeans.org for Linux and OS Independent ZIP
Summary: No secure way of downloading NetBeans provided on netbeans.org for Linux and ...
Status: RESOLVED FIXED
Alias: None
Product: www
Classification: Unclassified
Component: Downloads (show other bugs)
Version: 8.2
Hardware: PC Linux
: P2 normal (vote)
Assignee: pgebauer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-08 20:11 UTC by netmackan
Modified: 2016-08-25 08:23 UTC (History)
2 users (show)

See Also:
Issue Type: ENHANCEMENT
Exception Reporter:

Attachments
Image of download page showing URL of link and MD5 hash (110.51 KB, image/png)
2016-08-08 20:18 UTC, netmackan 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description netmackan 2016-08-08 20:11:21 UTC 
1) The netbeans.org download page (https://netbeans.org/downloads/index.html) only provides the binary over insecure HTTP (!).

This means that on an insecure network the download could potentially be manipulated and the victims computer taken over.

2) In addition the user can easily be tricked to believe HTTPS is used as the download page uses it and misses the fact that the download that is started automatically (or by clicking the "download it here link" uses HTTP:
http://download.netbeans.org/netbeans/8.1/final/bundles/netbeans-8.1-linux.sh

This means that many user will not recognize that their computer might have been compromised.

3) In order to anyway verify the downloaded file it could be manually checked by the user before running it by comparing its hash with the one provided on the HTTPS page. However, the hash provided is only MD5 which should not be considered safe even for this use case.

This means that is not possible even for a security minded person to run NetBeans without risk of a compromise.


Some quick fixes to this bugs that comes to mind:
- Use HTTPS also for the download of the binary/installer
- Also provide SHA-2 hashes on the download page

Longer term fixes:
- The above + provide digitally signed downloads
Comment 1 netmackan 2016-08-08 20:18:51 UTC 
Created attachment 161595 [details]
Image of download page showing URL of link and MD5 hash
Comment 2 Jiri Kovalsky 2016-08-10 06:21:00 UTC 
While I understand your concerns, this is not a top priority for us at the moment. We digitally sign our installers for Windows and Macintosh and we don't believe that MD5 collisions represent a serious issue. Hence downgrading to P2 enhancement.

BTW, your point #3 is a duplicate of RFE #253955. We will evaluate possibility to host binaries over the HTTPS protocol though. Thanks for your bug report.
Comment 3 Jiri Kovalsky 2016-08-10 15:23:45 UTC 
Petr, can you please investigate how difficult it would be to provide SHA2 checksums instead of MD5. Thanks.
Comment 4 Quality Engineering 2016-08-16 02:51:39 UTC 
Integrated into 'main-silver', will be available in build *201608160002* on http://bits.netbeans.org/dev/nightly/ (upload may still be in progress)

Changeset: http://hg.netbeans.org/main-silver/rev/4f04dc7942e8
User: PGebauer <pgebauer@netbeans.org>
Log: #267490 - No secure way of downloading NetBeans provided on netbeans.org for Linux and OS Independent ZIP
Comment 5 pgebauer 2016-08-25 08:23:55 UTC 
The SHA-256 checksum has been implemented.