Y
Hacker News
new
|
ask
|
show
|
jobs
by
kelnos
1957 days ago
And it seems they've fixed the issue, without any kind of public comment.... still not great:
https://github.com/signalapp/Signal-TLS-Proxy/commit/39a97da...
1 comments
kdunglas
1957 days ago
I (partially) fixed this issue, and I'm not affiliated in any way with Signal. It's public (
https://github.com/signalapp/Signal-TLS-Proxy/pull/2
), and it looks like they welcome contributions, because they merged mine.
link
cryo
1957 days ago
Wouldn't it be saner to also verify the downloaded archive hash? It looks like the domain resolving of nginx.org is trusted without doubt.
link
kdunglas
1956 days ago
Sure! I also opened another PR to check the archive signature:
https://github.com/signalapp/Signal-TLS-Proxy/pull/10
link
gspr
1957 days ago
Sorry for not noticing your PR before filing the bug.
I still find the way they (partially) dealt with this a bit worrisome.
link