Add a downloader + verifier for static.rust-lang.org #179
Conversation
This is pretty primitive and completely synchronous with no progress notifications.
|
|
||
| foreach (String fingerprint in Sha256Fingerprints) | ||
| { | ||
| if (fingerprint == received_fingerprint) { return true; } |
There was a problem hiding this comment.
I'm not a security person by any stretch of the imagination, so this might be dumb, but what does checking for exact cert fingerprint gives us?
There was a problem hiding this comment.
It gives us the knowledge that the connection isn't being MITM'd by any other certificates that may be trusted by the root CA store - either added by malware, compromised certificate, or just plain malice (which has been documented)
There was a problem hiding this comment.
It's called certificate pinning, and browsers use it in the form of HSTS.
|
I don't enforce any particular style of coding in this project, but please use camelCase for variables and function arguments. |
|
@vosen No problem! I'm glad we'll be getting a signing cert :) I'll clean up the style - C# isn't what I've used in any projects except minor "learn the language" programs. I'll poke around for something that doesn't depend on |
|
I'm back to uni tomorrow so I might be a bit slower than usual in responding, as well. |
|
Also, as detailed a review as you can give in regards to structure etc is useful for me - I don't do much programming in the OO style, and C# is a language I'm very weak in. Any avoidance of useful features or handy library things is not a guided choice, but just ignorance! |
|
Your style is OK, other than using a |
|
I guess this is outdated and we should just wrap |
This is pretty primitive and completely synchronous with no progress notifications.
First step towards #172