Y
Hacker News
new
|
ask
|
show
|
jobs
by
kdunglas
1966 days ago
I (partially) fixed this issue, and I'm not affiliated in any way with Signal. It's public (
https://github.com/signalapp/Signal-TLS-Proxy/pull/2
), and it looks like they welcome contributions, because they merged mine.
2 comments
cryo
1966 days ago
Wouldn't it be saner to also verify the downloaded archive hash? It looks like the domain resolving of nginx.org is trusted without doubt.
link
kdunglas
1965 days ago
Sure! I also opened another PR to check the archive signature:
https://github.com/signalapp/Signal-TLS-Proxy/pull/10
link
gspr
1966 days ago
Sorry for not noticing your PR before filing the bug.
I still find the way they (partially) dealt with this a bit worrisome.
link