Fix Tunnelblick Sparkle updates to not use .ly redirect

[Cryo]

When updating tunnelblick, please only have it connect to the https://tunnelblick.net downloads

directly.  If someone doesn't pay .ly or it gets hacked... bad things.

[jkbull...gmail.com]

What ".ly" do you mean?

tunnelblick.net hosts everything except disk images. Those .dmg files are hosted by GitHub, and GitHub uses amazon web services, so the downloads come from amazonaws.com as shown in the following Firefox screenshot:

I suppose GitHub could use other hosts, but in my experience they have consistently used AWS.

(It would cost too much to host them on tunnelblick.net and pay for the bandwidth.)

If your Tunnelblick.dmg is being downloaded from a ".ly" address, it sounds like your computer has been hacked or is the target of a "Man in the Middle" attack. (But I don't know how a MITM attack could take place unless MITM-ed by a state-level player who has control of a certificate authority and created forged credentials.)

We suggest verifying downloads. (Of course, if your https: access to the tunnelblick.net website is compromised, you may not be able to get the correct verification checksum and hash.)

In addition to using https: for everything, Tunnelblick's update mechanism uses digital signatures which are not vulnerable to MITM attack. And you could verify the Tunnelblick.app after an update if you want to be extra sure.

[Cryo]

Ok, interesting.  It was Little Snitch that alerted me that it was going through github, and I was

ok with that, but then it tried a redirect through a .ly, which is probably github's attempt for

analytics.  It was the first time this happened that I noticed.  It's MitM that I was worried about,

but I'm not sure how this should be approached.  Oddly, directly from the site doesn't go through

the same redirect.

[jkbull...gmail.com]

The download link on tunnelblick.net is of the form

     https://tunnelblick.net/release/something.dmg

For .dmgs, the tunnelblick.net webserver returns a "temporary redirect" to

     https://github.com/Tunnelblick/Tunnelblick/releases/download/something...something.dmg

From what you say, GitHub is redirecting to a .ly, which (eventually) redirects to amazonws.com.

A post in February pointed out the GitHub registered the bear.ly domain. Is that what you're seeing? What does whois say about the .ly domain that you're seeing?

All tunnelblick.net accesses are handled by the webserver itself except for .dmgs and .zips (the "user contributed" downloads), which is why you don't see any other redirects.

[Cryo]

I believe this is exactly what I am seeing.  It just caught me off guard and

wasn't what I was expecting.  I saw that sparkle was calling

https://www.tunnelblick.net/appcast.rss, and then the LS trigger fired, so

I wanted to make sure there wasn't an issue.  Thanks for clarifying the

process. :)