Hi,
I’ve noticed that Sublime updates are being downloaded over plain HTTP. I’d like all downloads to be transferred over TLS instead.
Thanks, for reading.
Hi,
I’ve noticed that Sublime updates are being downloaded over plain HTTP. I’d like all downloads to be transferred over TLS instead.
Thanks, for reading.
Totally makes sense. Many other apps are also switching to https only due to better safety and man in the middle attack avoidance.
Update checks have been done over HTTPS on OSX and Windows since 3100. The auto updater itself has always used signature verification on the downloaded updates.
Great. So why not download over TLS also? I think it would be a great improvement and since SSL certificates are cheap (https://letsencrypt.org/) nowadays it’s hardly a cost issue.
Today I switched ssl certificates on a server of mine to letsencrypt. Here is a nice guide for debian systems in case it there is interest: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04
I just tried to update Sublime text on macOS from 4142 to 4126, but it tried to download over plaintext HTTP on download.sublimetext.com:80.
If I denied that call, the update failed… Can you please just fix?
Update checks and downloads have been over HTTPS for a while now (Except on Linux where that’s more recent). What URL are you seeing ST trying to access?
That’s not a full URL. If you don’t have anything more, at what point in the update process does it fail?
It downloads the update from http://download.sublimetext.com/
It fails once Sublime starts to download the update. (and I block the request on my firewall)
GET /_pak/sublime_text_osx_4142.manifest.xz HTTP/1.1
Host: download.sublimetext.com
Accept: */*
Accept-Language: en-gb
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: sublime-update/3.0
We’re definitely using https to download the manifest. I was able to find a place where we weren’t using https.
The place I found that wasn’t using https has been fixed in build 4143, though again the manifest file has been downloaded using https for a while.