[JENKINS-28009] Jenkins Downloads Aren't Served Over HTTPS

Type: Bug
Resolution: Duplicate
Priority: Minor
Component/s: core
Labels:
- security

Similar Issues:
Powered by SuggestiMate

Show

Official downloads for the Jenkins binaries are served over plain HTTP. This is a security vulnerability, as any binaries being downloaded can easily be modified on-the-fly to inject malicious code. As Jenkins itself often has access to sensitive information, this presents a serious security vulnerability, especially for those who install and deploy Jenkins automatically.

Since it's now 2015, and we know that these attacks actively happen in the wild by all sorts of nefarious types, it's probably time to change this.

Fortunately, the fix is a simple! Just add a rewrite rule to replace all http:// requests to *.jenkins-ci.org and jenkins-ci.org to their respective https:// equivalents in your HTTP server, and then enable HSTS.

Daniel Beck added a comment - 2015-04-20 15:03

as any binaries being downloaded can easily be modified on-the-fly to inject malicious code

That's why they're signed. Check out jarsigner.

Daniel Beck added a comment - 2015-04-20 15:03 as any binaries being downloaded can easily be modified on-the-fly to inject malicious code That's why they're signed. Check out jarsigner.

Daniel Beck added a comment - 2015-04-20 15:04

Duplicates some issue in the INFRA project. The problem is the mirrors IIRC.

Daniel Beck added a comment - 2015-04-20 15:04 Duplicates some issue in the INFRA project. The problem is the mirrors IIRC.

Daniel Beck added a comment - 2015-04-20 15:12

INFRA-110 for the metadata, INFRA-266 for the downloads.

Daniel Beck added a comment - 2015-04-20 15:12 INFRA-110 for the metadata, INFRA-266 for the downloads.

Assignee:: Unassigned

Reporter:: Rich Jones

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2015-04-20 06:26

Updated:: 2015-04-20 15:12

Resolved:: 2015-04-20 15:04

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Daniel Beck added a comment - 2015-04-20 15:03

Expand comment: Daniel Beck added a comment - 2015-04-20 15:03

Collapse comment: Daniel Beck added a comment - 2015-04-20 15:04

Expand comment: Daniel Beck added a comment - 2015-04-20 15:04

Collapse comment: Daniel Beck added a comment - 2015-04-20 15:12

Expand comment: Daniel Beck added a comment - 2015-04-20 15:12

People

Dates