www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vladimir Sitnikov (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (LEGAL-457) Change license URL to https:
Date Fri, 14 Jun 2019 07:51:00 GMT

    [ https://issues.apache.org/jira/browse/LEGAL-457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16863802#comment-16863802

Vladimir Sitnikov commented on LEGAL-457:

{quote}What adding SSL in the license would really add?
a) Data integrity. I don't think "someone-in-the-middle" attack makes sense for license texts,
however it is definitely simpler to do in HTTP case rather than in HTTPS

b) "Remote code execution" is harder to exploit in case the client talks over HTTPS. For instance,
what if there was a license checker tool that downloads "up to date copy of the license"?
If the tool uses HTTP, then it could be spoofed with invalid text, and it could be exploited.
At best it would just crash, however it could result in remote code execution, and/or it could
be server-side request forgery (==the tool could be spoofed to share some content from its
internal network).

Making https:// default makes the above attacks harder

> Change license URL to https:
> ----------------------------
>                 Key: LEGAL-457
>                 URL: https://issues.apache.org/jira/browse/LEGAL-457
>             Project: Legal Discuss
>          Issue Type: Task
>            Reporter: Henri Yandell
>            Priority: Major
> Post removing the footer from the license, the license URL should be changed from http://
to https://.
> We'll need to check that this does not cause issues with license checkers. Presumably
it will drop matches from 100% to 99%.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message