Why unauthenticated software download is dangerous and unethical.
(The canonical location of this blog post is now Why unauthenticated software download is dangerous and unethical on my web site.)
Have you ever done svn checkout http://include-what-you-use.googlecode.com/svn/trunk/ include-what-you-use?
How about download; ./configure; make; make install when the connection is HTTP and you haven't checked your download against a cryptographic hash (e.g. SHA256) or public key (e.g. PGP) provided via an authenticated channel (e.g. HTTPS)? [1]
Have you ever done these while using coffee shop or train or cellular Internet without a VPN? Or even on home WiFi in a crowded area? [2]
It's not just you whose security is at risk by these deeds.
( Read more... )
Have you ever done svn checkout http://include-what-you-use.googlecode.com/svn/trunk/ include-what-you-use?
How about download; ./configure; make; make install when the connection is HTTP and you haven't checked your download against a cryptographic hash (e.g. SHA256) or public key (e.g. PGP) provided via an authenticated channel (e.g. HTTPS)? [1]
Have you ever done these while using coffee shop or train or cellular Internet without a VPN? Or even on home WiFi in a crowded area? [2]
It's not just you whose security is at risk by these deeds.
( Read more... )