interfasys Posted August 11, 2014 Report Posted August 11, 2014 It would be great if file signatures could be posted somewhere so that we know we're getting the real thing. Nothing worse than leaks in a billing software. Preferred format would be SHA256. PauloV 1 Quote
Michael Posted August 11, 2014 Report Posted August 11, 2014 It would be great if file signatures could be posted somewhere so that we know we're getting the real thing. Nothing worse than leaks in a billing software. Preferred format would be SHA256. As long as you get the files from https://account.blesta.com you will be fine. Our customers can download them from our download manager if they wish but we download them from the url above and ours has to be https://licensecart.com/billing/ Quote
interfasys Posted August 11, 2014 Author Report Posted August 11, 2014 If their system has been compromised, then you're done for. Files could have been modified through Blesta, FTP, PHP exploit, etc. and you wouldn't know. It's just common practice to offer at least MD5 sigs. Quote
Michael Posted August 11, 2014 Report Posted August 11, 2014 If their system has been compromised, then you're done for. Files could have been modified through Blesta, FTP, PHP exploit, etc. and you wouldn't know. It's just common practice to offer at least MD5 sigs. Blesta own their own servers on their own racks in the datacenter next to the office (I believe) they aren't like WHM** who erm use HostGator and Blesta keeps up-to date on software and updates. Quote
Paul Posted August 11, 2014 Report Posted August 11, 2014 We are not against publishing sha256 hashes with releases. We'll consider making it part of our release process. PauloV and Michael 2 Quote
mrrsm Posted August 11, 2014 Report Posted August 11, 2014 Blesta own their own servers on their own racks in the datacenter next to the office (I believe) they aren't like WHM** who erm use HostGator and Blesta keeps up-to date on software and updates. You can own as much hardware as you want, that doesn't make you invulnerable to security breaches no matter how good of a security plan you have in place. Having the signatures can also help validate corrupt downloads/uploads of files. Quote
Michael Posted August 11, 2014 Report Posted August 11, 2014 You can own as much hardware as you want, that doesn't make you invulnerable to security breaches no matter how good of a security plan you have in place. Having the signatures can also help validate corrupt downloads/uploads of files. 1 in a million chance. and everything is encrypted when uploaded the file names are like 123450kiourejkwodgtpwe.zip Quote
mrrsm Posted August 11, 2014 Report Posted August 11, 2014 1 in a million chance. and everything is encrypted when uploaded the file names are like 123450kiourejkwodgtpwe.zip Not saying they don't have good security policies in place but being able to validate my download is useful for more then just tampering as I pointed out above. I don't trust any site 100% so the more ways I can verify things the better. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.