cPanel updates are not over https!

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

This is documented at:

Download Security - cPanel Knowledge Base - cPanel Documentation

Here's a quote from this document that explains how the security works:

cPanel & WHM versions 11.48 and later include functionality to validate that all files downloaded from cPanel are delivered in a pristine state. This avoids any possibility of corruption due to a compromise of cPanel’s mirror system or tampering with the server’s connection to cPanel’s systems.

The new signature verification logic requires that all assets downloaded from the httpupdate mirrors are either directly validated through separate GPG signature files, or anchored to a signed asset using cryptographically secure checksums. For instance, the cPanelSync v1 manifest files are signed directly and the files referenced by the manifests are verified through SHA512 hashes.

Assets downloaded from other cPanel systems (such as the public portion of our GPG keys) are validated through SSL connections.
Regarding the validation of GPG keys, these keys are downloaded from Secure Downloads | cPanel, Inc. during the nightly upcp using the system's wget binary.

Let us know if you have any additional questions.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

The vendor rules offered directly from cPanel should already exist under in "WHM Home » Security Center » ModSecurity™ Vendors » Manage Vendors". Regarding the availability of the new OWASP rules, this is fixed in cPanel version 64:

OWASP ModSecurity Core Rule Set v3

Thank you.