Windows software download sites and HTTPS (or lack thereof)

Discussion in 'other security issues & news' started by Gullible Jones, Sep 7, 2015.

  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Because I'm in a ranty mood tonight. And yes, I know HTTPS is broken anyway in terms of implementation, but it sure beats unencrypted HTTP...

    Here are a list of freeware and/or shareware download sites. I will give them either a pass or fail grade, depending on whether they have working HTTPS at all.

    FileHippo:
    HTTPS security certificate expired in 2013. FAIL.

    Snapfiles:
    No HTTPS. FAIL.

    FileForum/BetaNews:
    No HTTPS. FAIL.

    Download.com/CNET:
    No HTTPS, the TLS cert is for Akamai. FAIL.

    MajorGeeks:
    No HTTPS. Furthermore, from the error response, it appears to be serving unencrypted HTTP on port 443. FAIL.

    Softpedia:
    No HTTPS. FAIL.

    FOSSHub:
    No HTTPS, redirects to plaintext on port 80. FAIL.

    Sourceforge:
    No HTTPS, redirects to plaintext on port 80. FAIL.

    Google Code:
    HTTPS, but is archive only and will soon be shut down. FAIL.

    GItHub:
    HTTPS, but doesn't host binaries. FAIL.

    Gitlab:
    HTTPS, but no binaries and no web search without login. FAIL.

    GNU.org:
    Web pages are HTTPS, but binary downloads are unencrypted. FAIL.

    Bitbucket:
    HTTPS, but no public web search. FAIL.

    Launchpad:
    HTTPS but no Windows binary hosting. FAIL.

    Codeplex:
    HTTPS, public search, encryption for everything including binary downloads. PASS!

    ...

    Kind of telling IMO, that the one and only software/code hosting site of any sort that provides Windows binaries over HTTPS is the one that's maintained by Microsoft. It seems like nobody else cares about the Windows users...
     
  2. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Yeah, I was recently downloading VMware workstation from them and their own mirror is actually called the Softpedia Secure Download ( :blink: ) and the external mirror, from VMware itself, was HTTPS.
    Actually, I wasn't able download EMET from Microsoft with Firefox, just nothing happened. Turned out Firefox's Mixed Content Protection blocked the download, because even though the site was HTTPS, the download was served over HTTP.
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    What kind of overhead will there be to the client connection and servers? I'd say providing a checksum like SHA-256 is better, unless you want more privacy on what programs you download...
     
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    @J_L

    Not as much overhead as you think, these days. :)

    Checksums over unencrypted connections can be tampered with, and a lot of people don't bother checking them anyway. Definitely they should be there though.
     
  5. FossHub

    FossHub Registered Member

    Joined:
    Feb 12, 2016
    Posts:
    1
    Hello,

    I noticed this post back in September and got upset because of it. It's not that we don't care we faced a lot of tech limitations to implement HTTPS. Anyway, as a first thing, we added a few weeks ago HTTPS for all downloads and we also show MD5, SHA1, SHA256 hashes. If you attempt to download any file it will be served via HTTPS, also the updates are handled over secured connections, it's just that the regular user doesn't see this part of the website.

    The only part that still served via standard HTTP are the HTML pages of our website. The main reason for this is a tech limitation of Varnish but we are working to fix this. We estimate it will take us a few more weeks to switch off completely to HTTPS everywhere not just on uploads and downloads which were the critical parts.

    What I said applies to FossHub, the other free services that we use will be also moved to HTTPS - we didn't had the funds to make the changes faster.

    Disclosure: I am a member of FossHub team.

    Regards, Sam - FossHub
     
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Great!
    I was starting to like FossHub anyway because of Sourceforges controversies, but was still hoping for proper HTTPS.
     
Loading...