Something about going Commercial

[webdawg]

I know you have your marketing, but can you add verify instructions to this page:

Download TrueNAS CORE - Completely Free NAS OS

Download TrueNAS CORE and discover why it's the world's #1 Open Source storage operating system.

www.truenas.com

I mean, a link to https://download.freenas.org/12.0/STABLE/U1/x64/ w/ instructions on how to use the keys, and why it is important to do so?

We need to continue to keep the world security minded.

 

[JoshDW19]

Hey @webdawg I lead the Web team here at iXsystems and I appreciate this feedback. We're in the middle of re-conceptualizing our download page so we're going to take this into consideration and see if we can accommodate your request.

 

[dipstick]

"re-conceptualizing"???????????????????????????????????????????????????

 

[JoshDW19]

@dipstick yeah. We feel like it's a little too difficult getting to the download page right now. You have to go through 3 pages... we're working on a concept where it will all work from one page.

 

[Ericloewe]

Oh, the sha256 used to be displayed under the download button, it's a bit of a shame that's gone. That said...

I know you have your marketing, but can you add verify instructions to this page:

Download TrueNAS CORE - Completely Free NAS OS

Download TrueNAS CORE and discover why it's the world's #1 Open Source storage operating system.

www.truenas.com

I mean, a link to https://download.freenas.org/12.0/STABLE/U1/x64/ w/ instructions on how to use the keys, and why it is important to do so?

We need to continue to keep the world security minded.

Security has nothing to do with it. You're getting the sha256 from the same place you're getting the download, any attacker with access to either one can easily compromise the other.

What matters is that it's served via HTTPS and the certificates are valid. Of course, that's no panacea, with Let's Encrypt the whole domain could be conceivably taken over wholesale and new certificates issued to the fraudulent entity in control of the domain. Some registrars used to be/are pretty prone to social engineering... A more bureaucratic certificate authority may mitigate that scenario, but the rabbit hole goes deeper.

 

[webdawg]

At this point everyone should gpg --verify everything.

 

[winnielinnie]

Of course, that's no panacea, with Let's Encrypt the whole domain could be conceivably taken over wholesale and new certificates issued to the fraudulent entity in control of the domain. Some registrars used to be/are pretty prone to social engineering... A more bureaucratic certificate authority may mitigate that scenario, but the rabbit hole goes deeper.

I'm not very familair with Let's Encrypt, but are they more lax with issuing (and re-issuing) certificates? What is there standard of proof of "you are who you claim to be"?

 

[Ericloewe]

That you control the domain.

 

[danb35]

What is there standard of proof of "you are who you claim to be"?

To be more specific than Eric:

• For a requested domain $DOMAIN, that you can serve a file with the specified pseudorandom contents at http://$DOMAN/.well-known/acme-challenge/longpseudorandomfilename; or
• You can create a DNS TXT record for _acme-challenge.$DOMAIN with specified pseudorandom contents

There's a third challenge type that operates over TLS, but I'm not very familiar with it. The challenge must be successfully completed for every FQDN you want to be on the cert. If you want a wildcard cert (*.$DOMAIN), you must use the DNS challenge.