[clamav-users] Database updated over unencrypted connection?

Micah Snyder (micasnyd) micasnyd at cisco.com
Fri Mar 15 13:05:02 EDT 2019


For what it's worth, one of the tasks we're working on for 0.102 is https support for freshclam.  

It's more than just adding an "s" to the URL.  The plan is to make libcurl a hard requirement for ClamAV, which will also mean including libcurl on Windows.  Then we'll have to rewrite the freshclam code to use libcurl instead of doing the http 1.0 connections the hard way.  This should give us http 1.1 and 2.0 support, as well has https support, and will make it possible to build clamsubmit for Windows.

No one is arguing with you because they don't want https support. However, as noted in previous conversations, we're comfortable with the security of plaintext/http connects because of how the databases are verified.  We do agree though, that https would be desirable.  

Micah


On 3/15/19, 11:54 AM, "clamav-users on behalf of Franky Van Liedekerke via clamav-users" <clamav-users-bounces at lists.clamav.net on behalf of clamav-users at lists.clamav.net> wrote:

    Op Vrijdag, 15-03-2019 om 16:04 schreef instaham--- via clamav-users:
    > Leonardo Rodrigues wrote:
    > >     the databases are digitally signed, and any modification, such in
    > > a man-in-the-middle attack, would break the signature and freshclam
    > > would refuse to run the files.
    > 
    > Sounds good. Can you please explain how this works in detail?
    > 
    > Apt places GPG keys in the system and uses them to verify downloaded 
    > data.
    > 
    > It doesn't seem that ClamAV placed any GPG keys in my system. So how is 
    > the verification happening?
    > 
    
    I wonder why the http/https discussion is still relevant. Almost all sites use https now, http is getting slowly banned and a lot of companies just don't want to allow incoming http traffic towards a server. Certifcates cost nothing anymore (you have free ones), so that's no longer an issue too. And the cpu issue might've been relevant years ago, but it shouldn't be now (offloading https to a high-performant frontend server can help if you really have issues).
    Just my 2 cents here ...
    
    Franky
    
    
    _______________________________________________
    
    clamav-users mailing list
    clamav-users at lists.clamav.net
    https://lists.clamav.net/mailman/listinfo/clamav-users
    
    
    Help us build a comprehensive ClamAV guide:
    https://github.com/vrtadmin/clamav-faq
    
    http://www.clamav.net/contact.html#ml
    



More information about the clamav-users mailing list