WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: tinycorelinux.net does not support SSL, Chrome blocks downloads  (Read 1014 times)

Offline ovacikar

  • Newbie
  • *
  • Posts: 37
Hello

Google Chrome is blocking downloads from tinycorelinux.net web site, for being insecure.If it was due to high cost of SSL Certificates in the past, letsenctypt offers free SSL certificates to my knowledge.


Offline patrikg

  • Wiki Author
  • Hero Member
  • *****
  • Posts: 676
Re: tinycorelinux.net does not support SSL, Chrome blocks downloads
« Reply #1 on: March 04, 2024, 05:24:20 AM »
You can bypass that using key Keep.


Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 10969
Re: tinycorelinux.net does not support SSL, Chrome blocks downloads
« Reply #2 on: March 04, 2024, 06:53:32 AM »
This is ridiculous. SSL does not any way mean a download is secure...
The only barriers that can stop you are the ones you create yourself.

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11257
Re: tinycorelinux.net does not support SSL, Chrome blocks downloads
« Reply #3 on: March 04, 2024, 07:30:00 AM »
Hi curaga
Sounds like poor wording. It's probably objecting because
the link on the Downloads page points to the repo which
needs to be http.

Offline andyj

  • Hero Member
  • *****
  • Posts: 1022
Re: tinycorelinux.net does not support SSL, Chrome blocks downloads
« Reply #4 on: March 04, 2024, 12:54:17 PM »
This is ridiculous. SSL does not any way mean a download is secure...
Just another part of security theater.

Offline CentralWare

  • Administrator
  • Hero Member
  • *****
  • Posts: 1652
Re: tinycorelinux.net does not support SSL, Chrome blocks downloads
« Reply #5 on: March 06, 2024, 01:17:41 AM »
"Secure" has numerous definitions based on who you ask.

SSL simply encrypts data between two (or more) points - there have been US presidential candidates (no names need be mentioned :) ) who somehow thought just because something says SSL is SECURE doesn't mean the press isn't going to have a field day with your emails!

Encrypting publicly available downloads --- it's a pure WASTE of BANDWIDTH as SSL just adds fat to the download since the file itself is public domain.  It's not a "secret!"
Encrypting downloads that contain personal content (ie: zip files or scanned images of your identification, banking records, etc.) WOULD be something you'd want to encrypt.

G00GLE wants to make everything online SSL-IDENTITY based when in fact, it's because of places like Let's Encrypt (free) that every crook on the planet can afford an SSL cert of their own, so what's the point of Chrome pretending there's "safe" anything :)  Don't get me wrong, Let's Encrypt is awesome...  but trying to force the planet into submission?  Sounds an awful lot like the Shockwave/Flash demise to me!

@Curaga: If we HAD to comply...  why not utilize mirror links which DO have SSL implemented?  (https://distro.ibiblio.org/tinycorelinux/14.x/x86_64/release/CorePure64-14.0.iso)
Over 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Offline gadget42

  • Hero Member
  • *****
  • Posts: 663
Re: tinycorelinux.net does not support SSL, Chrome blocks downloads
« Reply #6 on: March 06, 2024, 02:13:36 AM »
@CentralWare, thanks for taking the time to post that since there are many who don't understand the particulars.
The fluctuation theorem has long been known for a sudden switch of the Hamiltonian of a classical system Z54 . For a quantum system with a Hamiltonian changing from... https://forum.tinycorelinux.net/index.php/topic,25972.msg166580.html#msg166580

Offline Dies Irae

  • Newbie
  • *
  • Posts: 21
Re: tinycorelinux.net does not support SSL, Chrome blocks downloads
« Reply #7 on: March 06, 2024, 02:14:18 AM »
While we're on this subject of secure..

What are the thoughts about adding signify, noting that there are various flavours (predominantly due to adding fields), for which we perhaps could choose OpenWRT usign (which cost them a mere 11K when installed).

Recall that the computational overhead here would be minimal, the idea is that we can cryptographically verify a small file that is basically an hash+info of the extension. Once we know the hash is good, we assume that the file matching that hash is also good. OpenBSD (whom sanely rejected the idea that https solves everything in life) proved the idea is sound and inclusive to all, OpenWRT's implementation isn't new (had eyeballs) and is invested in being small and lightweight.

The entire dance is probably even cheaper than a https handshake/exchange (and alleviates everyone from fears such as as today, while even pre-preemptively swiping pro-https arguments off some potential table). Potential match made in heaven?
« Last Edit: March 06, 2024, 02:46:31 AM by Dies Irae »

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 10969
Re: tinycorelinux.net does not support SSL, Chrome blocks downloads
« Reply #8 on: March 06, 2024, 07:44:22 AM »
TC is a small, volunteer-based distro. While signing extensions would help detect a rogue mirror, it would imply many other kinds of security that would only be available in larger, corporate distros.
The only barriers that can stop you are the ones you create yourself.

Offline Dies Irae

  • Newbie
  • *
  • Posts: 21
Re: tinycorelinux.net does not support SSL, Chrome blocks downloads
« Reply #9 on: April 06, 2024, 09:35:37 PM »
TC is a small, volunteer-based distro. While signing extensions would help detect a rogue mirror, it would imply many other kinds of security that would only be available in larger, corporate distros.

After giving this response considerable thought, I can't, for the life of me, come up with any other implied benefits, other than of course the purpose: that a man in the middle (like the public internet wifi access in a super market of cafe or numerous other places OR some Iranian govt (and similar)) can not trivially infect a tinycore instance, by *simply* passing it the wrong md5 and infected matching tcz extension.
For equivalent example, I also don't see any other implied security of openwrt (for example) using signify, while I assume one wouldn't run openwrt on their laptop in a cafe, like one would use your cloud-os tinycore.

What other implied security features did I not think of?

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 10969
Re: tinycorelinux.net does not support SSL, Chrome blocks downloads
« Reply #10 on: April 06, 2024, 11:39:27 PM »
A signed extension implies the extension itself can be trusted. It would be trivial for a Jia Tan (see the recent xz news) to contribute a compromised extension, which would then be signed.
The only barriers that can stop you are the ones you create yourself.

Offline Dies Irae

  • Newbie
  • *
  • Posts: 21
Re: tinycorelinux.net does not support SSL, Chrome blocks downloads
« Reply #11 on: April 06, 2024, 11:56:25 PM »
Thanks for your clarification. With the utmost respect (really), I'd personally only 'trust' the signify to show that I obtained the binary that is in the repository. After all, with the same xz example, that could still have been in our repo (if someone in good faith had compiled and submitted it).
A more 'glaring' bad extension would hopefully have more eyeballs (Not only the person that somewhat skimmed what was submitted, but also the other users (by usage) of the extension).
It would only guarantee that whatever is currently in the repo, is what I got, be it good, or bad.

Who knows, a fair poll could shed some light on what 'the masses' think about the subject. You may be very right that they would mis-perceive it's purpose (what it does, and doesn't add/do).