←back to thread

VoRS: Vo(IP) Simple Alternative to Mumble

(www.vors.stargrave.org)
86 points stargrave | 8 comments | 19 Apr 24 05:16 UTC | HN request time: 0.928s | source | bottom
1. d-z-m ◴[19 Apr 24 14:52 UTC] No.40087579[source]
> You have to verify downloaded tarballs authenticity to be sure that you retrieved trusted and untampered software.

I'm not able to access the site over TLS, so this is currently impossible. Anyone else have better luck?

    (from the installation instructions)

    $ [fetch|wget] http://www.vors.stargrave.org/download/.   vors-2.3.0.tar.zst
    $ [fetch|wget] http://www.vors.stargrave.org/download/vors-2.3.0.tar.zst.sig
    [verify signature]
    $ tar xf vors-2.3.0.tar.zst
Guarantees nothing, if you're actually being attacked. You can't serve out the tarball and the public key[0] and the signature insecurely and get any guarantees about authenticity.

[0]:http://www.vors.stargrave.org/PUBKEY-SSH.pub

replies(3): >>40088323 #>>40088358 #>>40088709 #
2. ◴[19 Apr 24 15:50 UTC] No.40088323[source]
3. someguydave ◴[19 Apr 24 15:52 UTC] No.40088358[source]
I can see your point about a man-in-the-middle attack on HTTP, but realistically if the the attacker can do the MITM he can probably also figure out how to modify the contents on the webserver, in which case TLS does nothing
replies(1): >>40094114 #
4. ranger_danger ◴[19 Apr 24 16:21 UTC] No.40088709[source]
Most websites these days use Crimeflare or equivalent already anyways which is a MITM proxy, so you're still not safe there either.
replies(1): >>40094136 #
5. d-z-m ◴[20 Apr 24 02:25 UTC] No.40094114[source]
> realistically if the the attacker can do the MITM he can probably also figure out how to modify the contents on the webserver, in which case TLS does nothing

Sorry, I don't see how that follows. If you had access to the webserver you would never even attempt a MITM attack in the first place.

6. d-z-m ◴[20 Apr 24 02:27 UTC] No.40094136[source]
Yes, however there's a big difference between Cloudflare and an arbitrary MITM. If you think Cloudflare is mangling traffic in a malicious way you would need a shred of evidence to substantiate that claim.

I would also push back that "most websites" use a 3rd party TLS terminating CDN/proxy layer in front of the actual webserver.

replies(1): >>40107411 #
7. ranger_danger ◴[21 Apr 24 17:18 UTC] No.40107411{3}[source]
> If you think Cloudflare is mangling traffic

I'm more concerned with the data they receive being leaked or sold.

And by most websites I guess I meant large ones that people frequent every day, because these days it's almost impossible to have any sort of useful DDoS protection without using such a service.

replies(1): >>40189612 #
8. d-z-m ◴[28 Apr 24 16:12 UTC] No.40189612{4}[source]
> I'm more concerned with the data they receive being leaked or sold.

But that's not what we're talking about here. We were talking about a MITM attack on key/tarfile distribution in the context of verifying file integrity.