Pale Moon: Data breach on the archive server
Posted: Wed Jul 10, 2019 5:17 pm
Data breach on the archive server (archive.palemoon.org)
Virus or Trojan on archive.palemoon.org ?
Data breach post-mortem
Original post:There has been a data breach on the (convenience) archive server where an attempt was made to sabotage our project by infecting all archived Pale Moon executables present on the server at the time of the breach with malware.
The archive server has been shut down until a secure alternative is available.
Virus or Trojan on archive.palemoon.org ?
Data breach post-mortem
That kind of stuff is there for a reason, so should not be dismissed, ignored - simply because you're getting your download from a "trusted" source.Most of the versions of Pale Moon come with accompanying .sig files (pgp signatures) which you can use to verify that the files are not tampered with or changed in any way.
Apart from the period where code-signing was not used due to unavailability at reasonable cost for Open Source development, binaries have also been code-signed; which can be checked through a right-click -> properties -> tab "Digital Signatures". If this tab is missing, then the binary is either not signed or has been modified from its original.
Later versions of the archived executables also come with a SHA256 has in the accompanying file "hashes.txt". You can verify the integrity that way, too.