Privacytools.io: ❌ Software Removal | PeaZip

Yes this is definitely an issue, seems to be an old Microsoft server:

*   Trying 82.187.89.53:443...
* Connected to peazip.org (82.187.89.53) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server key exchange (12):
* TLSv1.0 (IN), TLS handshake, Server finished (14):
* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.0 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.0 (OUT), TLS handshake, Finished (20):
* TLSv1.0 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / ECDHE-RSA-AES256-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=www.peazip.org
*  start date: Jul  5 00:00:00 2019 GMT
*  expire date: Jul  4 12:00:00 2021 GMT
*  subjectAltName: host "peazip.org" matched cert's "peazip.org"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=RapidSSL RSA CA 2018
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: peazip.org
> User-Agent: curl/7.69.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/html; charset=UTF-8
< Location: http://www.peazip.org/
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Fri, 13 Mar 2020 00:56:12 GMT
< Content-Length: 145
<

IIS 7.5 was included in Windows 7 (but it must be turned on in the side panel of Programs and Features) and Windows Server 2008 R2. IIS 7.5 improved WebDAV and FTP modules as well as command-line administration in PowerShell. It also introduced TLS 1.1 and TLS 1.2 support and the Best Practices Analyzer tool and process isolation for application pools.[11]

Strangely they seem to have TLS 1.2 disabled.

$ openssl s_client -connect peazip.org:443 -tls1_2
CONNECTED(00000003)
115774100628736:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:ssl/statem/statem_lib.c:1928:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 3232 bytes and written 220 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1584062393
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Not many people could view this site anyway Chrome, Edge, IE, Firefox, and Safari to disable TLS 1.0 and TLS 1.1 in 2020.

I don't think this deserves a de-list, though, this can be fixed with an e-mail to them.

Agreed with @5a384507-18ce-417c-bb55-d4dfcc8883fe , their website is clearly old, but the software is regularly updated, latest release was 6 days ago (via GitHub). Could the lack of protection from the website lead to a malicious actor changing the downloaded software? We could point to the release page on their GitHub repo, although, as you can check on the Windows download page, the file is hosted by OSDN, which has the necessary protections in place. I believe there is no need to change.

I don't think this deserves a de-list, though, this can be fixed with an e-mail to them.

I did send them an email (should have mentioned that). I (haven't yet received a reply, but most likely we will just link to their github or sourceforge page. Both seem to be updated.

I'm not entirely sure why it was added in the first place, so my guess is that it was legacy from the days when privacytools.io really had no/little requirements.

This software isn't tracked by version control, the author simply just uploads a tarball. I don't really like this as it makes it difficult to track what has changed through commits. 7-Zip doesn't either unfortunately.

The author hasn't gotten back to me regarding the issues with their site, although that could have something to do with what is going on in the world currently.

This software is not cryptographically signed ie with pgp or minisign etc. Nor is it in any distribution repositories. The Linux version of this depends on Qt4/GTK2 which are both deprecated for GTK3 and Qt5. No distribution has packaged it. I doubt they will while depending on these libraries. I can't see if there's a development branch with a newer version either. I would be curious to know if future development of this actively developed project has any likelyhood of a GTK3/Qt5 port.

I am in favor of #1784 and p7zip as I feel that would be a better recommendation for Linux/BSD users, as that integrates into tools like File Roller, Xarchiver, Ark and is distributed through distributor repositories.

I would be recommending in future requirements for software to be added that it must:

• Have source repository, eg git, mercurial etc
• Signed releases eg pgp clearsign
• Be open source.

I vote for removing peazip and swapping it with 7zip.

I would be recommending in future requirements for software to be added that it must:

* Have source repository, eg git, mercurial etc

* Signed releases eg pgp clearsign

* Be open source.

I greatly agree.

Also, Keka is not open source so maybe we should remove that.

nah the whole idea not go inside my brain, you punish people because they not updated their site ? i mean he said software is updated also what if they not good at web servers ? or they not know web development how that will effect my security by using their app ? i not get it, its not same programming language so i not give a darn if their website updated or not all i care about their app is good enough or not and he clearly said its kept updated so nope give me another reason

I know its late but i gotta say my point of view and my point of view that your claim is bad and i want more convincing one

Hello, in first place let me apologyze for the delay TLS 1.2 was implemented and for the lack of prompt feedback.
I can confirm you that TLS1.2 is now supported, and older insecure protocols as TLS 1.0 and SSL 2/3 were dropped.