VoRS: Vo(IP) Simple Alternative to Mumble

(www.vors.stargrave.org)

86 points stargrave | 2 comments | 19 Apr 24 05:16 UTC | HN request time: 0.504s | source

Show context

d-z-m ◴[19 Apr 24 14:52 UTC] No.40087579[source]▶

> You have to verify downloaded tarballs authenticity to be sure that you retrieved trusted and untampered software.

I'm not able to access the site over TLS, so this is currently impossible. Anyone else have better luck?

    (from the installation instructions)

    $ [fetch|wget] http://www.vors.stargrave.org/download/.   vors-2.3.0.tar.zst
    $ [fetch|wget] http://www.vors.stargrave.org/download/vors-2.3.0.tar.zst.sig
    [verify signature]
    $ tar xf vors-2.3.0.tar.zst

Guarantees nothing, if you're actually being attacked. You can't serve out the tarball and the public key[0] and the signature insecurely and get any guarantees about authenticity.

[0]:http://www.vors.stargrave.org/PUBKEY-SSH.pub

replies(3): >>40088323 #>>40088358 #>>40088709 #

1. someguydave ◴[19 Apr 24 15:52 UTC] No.40088358[source]▶

>>40087579 #

I can see your point about a man-in-the-middle attack on HTTP, but realistically if the the attacker can do the MITM he can probably also figure out how to modify the contents on the webserver, in which case TLS does nothing

replies(1): >>40094114 #

2. d-z-m ◴[20 Apr 24 02:25 UTC] No.40094114[source]▶

>>40088358 (TP) #

> realistically if the the attacker can do the MITM he can probably also figure out how to modify the contents on the webserver, in which case TLS does nothing

Sorry, I don't see how that follows. If you had access to the webserver you would never even attempt a MITM attack in the first place.

↑