Box host isn't using TLS about pentest-env HOT 5 CLOSED

Done. All boxes are now uploaded to atlas.hashicorp.com.

from pentest-env.

Hi,
There is a self-signed certificate here https://box.hackbbs.org/
The checksums are also available here:

• https://github.com/Sliim/pentest-env/blob/master/checksums.txt
• https://github.com/Sliim/pentest-env/blob/master/docs/About-boxes.md

This is not sufficient?

from pentest-env.

I appreciate the response on this. The checksums on GitHub are definitely useful, but I was mostly talking about the box host. In the Vagrant configuration, kali.vm.box_url is pulling a box over standard HTTP. This is fine if you're using the checksums to verify the box integrity, but serving over a CA-signed TLS cert would allow us to forego the checksum verification step and, more importantly, lessen the chance of actually downloading a malicious box. It's just a suggestion. Let's Encrypt allows you to easily set up a free certificate and automate the renewal process. The self-signed cert would work if we installed the public certificate on our machines, but otherwise, it's no more useful than serving over HTTP.

from pentest-env.

Hi!
Sorry for latency..
I tried the vagrant cloud storage for some boxes, looks good I think I will upload all Kali box here.
Box will be served by https://atlas.hashicorp.com and checksums by github.
I think this is a good alternative, number of box increased and I have limited storage in the current server (it was originally temporary...).

from pentest-env.

@Sliim I think that's a great plan! Thanks for continuing to work on this!

from pentest-env.