❌ Software Removal | PeaZip #1782

New Issue

2020-03-12T15:43:38Z

ghost commented

2020-03-12 15:43:38 +00:00

(Migrated from github.com)

Description

I suggest removing PeaZip.

Why I am making the suggestion

PeaZip websites cannot be accessed without TLS 1.0 enabled.
Not only SSL3.0 but also SSL2.0 is effective.
Encryption software created by people who cannot properly manage a web server. I do not want to use.

https://www.ssllabs.com/ssltest/analyze.html?d=www.peazip.org
https://www.hardenize.com/report/peazip.org/1584027400

My connection with the software

Unrelated

[✔] I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

## Description I suggest removing PeaZip. ## Why I am making the suggestion PeaZip websites cannot be accessed without TLS 1.0 enabled. Not only SSL3.0 but also SSL2.0 is effective. Encryption software created by people who cannot properly manage a web server. I do not want to use. https://www.ssllabs.com/ssltest/analyze.html?d=www.peazip.org https://www.hardenize.com/report/peazip.org/1584027400 ## My connection with the software Unrelated - [✔] I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

dngray commented

2020-03-13 01:03:52 +00:00

(Migrated from github.com)

Yes this is definitely an issue, seems to be an old Microsoft server:

*   Trying 82.187.89.53:443...
* Connected to peazip.org (82.187.89.53) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server key exchange (12):
* TLSv1.0 (IN), TLS handshake, Server finished (14):
* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.0 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.0 (OUT), TLS handshake, Finished (20):
* TLSv1.0 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / ECDHE-RSA-AES256-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=www.peazip.org
*  start date: Jul  5 00:00:00 2019 GMT
*  expire date: Jul  4 12:00:00 2021 GMT
*  subjectAltName: host "peazip.org" matched cert's "peazip.org"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=RapidSSL RSA CA 2018
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: peazip.org
> User-Agent: curl/7.69.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/html; charset=UTF-8
< Location: http://www.peazip.org/
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Fri, 13 Mar 2020 00:56:12 GMT
< Content-Length: 145
<

IIS 7.5 was included in Windows 7 (but it must be turned on in the side panel of Programs and Features) and Windows Server 2008 R2. IIS 7.5 improved WebDAV and FTP modules as well as command-line administration in PowerShell. It also introduced TLS 1.1 and TLS 1.2 support and the Best Practices Analyzer tool and process isolation for application pools.[11]

Strangely they seem to have TLS 1.2 disabled.

$ openssl s_client -connect peazip.org:443 -tls1_2
CONNECTED(00000003)
115774100628736:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:ssl/statem/statem_lib.c:1928:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 3232 bytes and written 220 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1584062393
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Not many people could view this site anyway Chrome, Edge, IE, Firefox, and Safari to disable TLS 1.0 and TLS 1.1 in 2020.

Yes this is definitely an issue, seems to be an old Microsoft server: ``` * Trying 82.187.89.53:443... * Connected to peazip.org (82.187.89.53) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.0 (IN), TLS handshake, Certificate (11): * TLSv1.0 (IN), TLS handshake, Server key exchange (12): * TLSv1.0 (IN), TLS handshake, Server finished (14): * TLSv1.0 (OUT), TLS handshake, Client key exchange (16): * TLSv1.0 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.0 (OUT), TLS handshake, Finished (20): * TLSv1.0 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.0 / ECDHE-RSA-AES256-SHA * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=www.peazip.org * start date: Jul 5 00:00:00 2019 GMT * expire date: Jul 4 12:00:00 2021 GMT * subjectAltName: host "peazip.org" matched cert's "peazip.org" * issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=RapidSSL RSA CA 2018 * SSL certificate verify ok. > GET / HTTP/1.1 > Host: peazip.org > User-Agent: curl/7.69.1 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently < Content-Type: text/html; charset=UTF-8 < Location: http://www.peazip.org/ < Server: Microsoft-IIS/7.5 < X-Powered-By: ASP.NET < Date: Fri, 13 Mar 2020 00:56:12 GMT < Content-Length: 145 < ``` > IIS 7.5 was included in [Windows 7](https://en.wikipedia.org/wiki/Windows_7) (but it must be turned on in the side panel of Programs and Features) and [Windows Server 2008 R2](https://en.wikipedia.org/wiki/Windows_Server_2008_R2). IIS 7.5 improved WebDAV and FTP modules as well as command-line administration in [PowerShell](https://en.wikipedia.org/wiki/PowerShell). It also introduced [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) 1.1 and TLS 1.2 support and the Best Practices Analyzer tool and process isolation for application pools.[[11]](https://en.wikipedia.org/wiki/Internet_Information_Services#cite_note-11) Strangely they seem to have TLS 1.2 disabled. ``` $ openssl s_client -connect peazip.org:443 -tls1_2 CONNECTED(00000003) 115774100628736:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:ssl/statem/statem_lib.c:1928: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 3232 bytes and written 220 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1584062393 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- ``` Not many people could view this site anyway [Chrome, Edge, IE, Firefox, and Safari to disable TLS 1.0 and TLS 1.1 in 2020](https://www.zdnet.com/article/chrome-edge-ie-firefox-and-safari-to-disable-tls-1-0-and-tls-1-1-in-2020/).

5a384507-18ce-417c-bb55-d4dfcc8883fe commented

2020-03-13 14:21:16 +00:00

(Migrated from github.com)

I don't think this deserves a de-list, though, this can be fixed with an e-mail to them.

hugoncosta commented

2020-03-14 13:54:42 +00:00

(Migrated from github.com)

Agreed with @5a384507-18ce-417c-bb55-d4dfcc8883fe , their website is clearly old, but the software is regularly updated, latest release was 6 days ago (via GitHub). Could the lack of protection from the website lead to a malicious actor changing the downloaded software? We could point to the release page on their GitHub repo, although, as you can check on the Windows download page, the file is hosted by OSDN, which has the necessary protections in place. I believe there is no need to change.

Agreed with @5a384507-18ce-417c-bb55-d4dfcc8883fe , their website is clearly old, but the software is regularly updated, latest release was 6 days ago ([via GitHub](https://github.com/giorgiotani/PeaZip/releases/tag/7.1.1)). Could the lack of protection from the website lead to a malicious actor changing the downloaded software? We could point to the release page on their [GitHub repo](https://github.com/giorgiotani/PeaZip/releases), although, as you can check on the [Windows download page](https://www.peazip.org/download-installer-p-windows.html), the file is hosted by [OSDN](https://osdn.net/), which has the necessary protections in place. I believe there is no need to change.

👍 1

dngray commented

2020-03-14 14:55:07 +00:00

(Migrated from github.com)

I don't think this deserves a de-list, though, this can be fixed with an e-mail to them.

I did send them an email (should have mentioned that). I (haven't yet received a reply, but most likely we will just link to their github or sourceforge page. Both seem to be updated.

> I don't think this deserves a de-list, though, this can be fixed with an e-mail to them. I did send them an email (should have mentioned that). I (haven't yet received a reply, but most likely we will just link to their github or [sourceforge](https://sourceforge.net/projects/peazip/files/) page. Both seem to be updated.

👍 1

dngray commented

2020-03-24 16:35:31 +00:00

(Migrated from github.com)

I'm not entirely sure why it was added in the first place, so my guess is that it was legacy from the days when privacytools.io really had no/little requirements.

This software isn't tracked by version control, the author simply just uploads a tarball. I don't really like this as it makes it difficult to track what has changed through commits. 7-Zip doesn't either unfortunately.

The author hasn't gotten back to me regarding the issues with their site, although that could have something to do with what is going on in the world currently.

This software is not cryptographically signed ie with pgp or minisign etc. Nor is it in any distribution repositories. The Linux version of this depends on Qt4/GTK2 which are both deprecated for GTK3 and Qt5. No distribution has packaged it. I doubt they will while depending on these libraries. I can't see if there's a development branch with a newer version either. I would be curious to know if future development of this actively developed project has any likelyhood of a GTK3/Qt5 port.

I am in favor of #1784 and p7zip as I feel that would be a better recommendation for Linux/BSD users, as that integrates into tools like File Roller, Xarchiver, Ark and is distributed through distributor repositories.

I would be recommending in future requirements for software to be added that it must:

Have source repository, eg git, mercurial etc
Signed releases eg pgp clearsign
Be open source.

I'm not entirely sure why it was added in the first place, so my guess is that it was legacy from the days when privacytools.io really had no/little requirements. This software isn't tracked by version control, the author simply just uploads a tarball. I don't really like this as it makes it difficult to track what has changed through commits. 7-Zip doesn't either unfortunately. The author hasn't gotten back to me regarding the issues with their site, although that could have something to do with what is going on in the world currently. This software is not cryptographically signed ie with pgp or minisign etc. Nor is it in any distribution repositories. The Linux version of this depends on Qt4/GTK2 which are both deprecated for GTK3 and Qt5. [No distribution has packaged](https://pkgs.org/search/?q=peazip) it. I doubt they will while depending on these libraries. I can't see if there's a development branch with a newer version either. I would be curious to know if future development of this actively developed project has any likelyhood of a GTK3/Qt5 port. I am in favor of #1784 and p7zip as I feel that would be a better recommendation for Linux/BSD users, as that integrates into tools like [File Roller](https://wiki.gnome.org/Apps/FileRoller), [Xarchiver](https://github.com/ib/xarchiver), [Ark](https://kde.org/applications/utilities/ark) and is distributed through distributor repositories. I would be recommending in future requirements for software to be added that it must: - Have source repository, eg git, mercurial etc - Signed releases eg pgp clearsign - Be open source.

👍 1

blacklight447 commented

2020-03-24 18:05:16 +00:00

(Migrated from github.com)

I vote for removing peazip and swapping it with 7zip.

👍 1

ghost commented

2020-03-25 14:16:40 +00:00

(Migrated from github.com)

I would be recommending in future requirements for software to be added that it must:
* Have source repository, eg git, mercurial etc

* Signed releases eg pgp clearsign

* Be open source.

I greatly agree.

> > I would be recommending in future requirements for software to be added that it must: > > * Have source repository, eg git, mercurial etc > > * Signed releases eg pgp clearsign > > * Be open source. I greatly agree.

dngray commented

2020-03-26 09:27:40 +00:00

(Migrated from github.com)

Also, Keka is not open source so maybe we should remove that.

Also, [Keka is not open source](https://github.com/aonez/Keka#so-where-is-the-source-code) so maybe we should remove that.

EsmailELBoBDev2 commented

2020-04-03 05:34:15 +00:00

(Migrated from github.com)

nah the whole idea not go inside my brain, you punish people because they not updated their site ? i mean he said software is updated also what if they not good at web servers ? or they not know web development how that will effect my security by using their app ? i not get it, its not same programming language so i not give a darn if their website updated or not all i care about their app is good enough or not and he clearly said its kept updated so nope give me another reason

I know its late but i gotta say my point of view and my point of view that your claim is bad and i want more convincing one

nah the whole idea not go inside my brain, you punish people because they not updated their site ? i mean he said software is updated also what if they not good at web servers ? or they not know web development how that will effect my security by using their app ? i not get it, its not same programming language so i not give a darn if their website updated or not all i care about their app is good enough or not and he clearly said its kept updated so nope give me another reason ____ I know its late but i gotta say my point of view and my point of view that your claim is bad and i want more convincing one

peazip commented

2020-04-12 13:44:51 +00:00

(Migrated from github.com)

Hello, in first place let me apologyze for the delay TLS 1.2 was implemented and for the lack of prompt feedback.
I can confirm you that TLS1.2 is now supported, and older insecure protocols as TLS 1.0 and SSL 2/3 were dropped.

Hello, in first place let me apologyze for the delay TLS 1.2 was implemented and for the lack of prompt feedback. I can confirm you that TLS1.2 is now supported, and older insecure protocols as TLS 1.0 and SSL 2/3 were dropped.

🎉 3

This repo is archived. You cannot comment on issues.