Let's Encrypt!

[NealEhardt]

This is regarding dotpdn.com. At a minimum, this page http://www.dotpdn.com/downloads/pdn.html and the zip file should be served over HTTPS.

 

Inside the zip, the installer exe is signed by a "verified publisher", which is reassuring. But it's possible for an attacker to serve me a different zip file. Some users will run an exe that isn't signed by a verified publisher. Those users will get owned.

 

If we use https://letsencrypt.org/ then the only cost is developer time.

 

What does the dotpdn.com stack look like? I may be able to give configuration advice.

[toe_head2001]

12 minutes ago, NealEhardt said:

Those users will get owned.

Could get owned. Murphy's Law is not really a natural law.

 

20 minutes ago, NealEhardt said:

This is regarding dotpdn.com.

It's not just the dotpdn.com domain. When paint.net (the program) checks for updates, it's communicating with the getpaint.net domain. If there is an update, it will then download it from dotpdn.com.

 

 

At least for forum has encryption now (as of a few days ago).

 

[dipstick]

Ha,ha. That's very funny. I only run Linux now. None of my programs have administrative privilege. None of my programs have internet access, unless I grant that. Good luck owning me...............

 

I also run all "Windows Programs" in a SandBox.

[IRON67]

10 hours ago, dipstick said:

Ha,ha. ... Good luck owning me...............

 

It is not very wise to laugh about other people's safety concerns. It is also unwise to think about Linux as a secure operating system. This is not the case, as the developments of recent years have shown.
And finally, it is very unwise to hold a sandbox for a sufficient safety measure.
I think NealEhardt's proposal is absolutely reasonable.
Much smarter and more competent people than you have laughed too early.

Edited December 12, 2016 by IRON67

[dipstick]

I wasn't laughing at anyones safety concerns. Internet safety is always a good idea. I do feel very confident about my vulnerabilities or lack there of. I also use encryption for quite a few things.

[IRON67]

14 minutes ago, dipstick said:

I wasn't laughing at anyones safety concerns.

 

Why then the HAHA That's very funny? For me this sounds somewhat arrogant.

[Rick Brewster]

I've been meaning to look into this, and I agree ...

 

... but, in the meantime, the EXE inside the ZIP is always digitally signed by "dotPDN LLC". So be sure to verify that.

 

 

[toe_head2001]

I see TLS connections are available for all the paint.net websites now. Thanks!

[Rick Brewster]

yup Just got those all set up in the last week. Setting up SSL is not fun, but it had to be done!

 

All http:// requests should be auto-forwarding to https:// now. You may still see a grey "info" link (instead of green "secure") in the address bar for pages on the forum. I think it's because many images are served from http:// (oops, like my own signature image ... I should fix that Edit: fixed!)