Jump to content

Https Download?

linux_user
 Share

Recommended Posts

linux_user

linux_user 2

Posted
Posted

I cannot find a working https:// download URL for the Linux installer, so there's no way I can be sure that the downloaded file is genuine. 

 

Can this be fixed? 

Link to comment
Share on other sites
Arakasi

Arakasi 549

Posted
Posted

You don't need a secure handshake with the servers to tell if it is genuine.

 

Just compare the Hash of the installer once its downloaded against what everyone else is reporting.

Use virustotal if you don't have a hash program.

If the installer you have has a different hash, THEN you can raise your eyebrows and report back here.

Link to comment
Share on other sites
linux_user

linux_user 2

Posted
  • Author
Posted (edited)

Thanks for your answer Arakasi! But I still think there is an issue here.

 

When you download the Windows version of ESET software you get a digitally signed executable so you're good even if there's no https, as Windows checks the signatures.

 

When you download the Linux version you don't have that luxury. Neither you are provided with the official checksums/hashes for the installer files and you have to resort to some other solution like the one you mentioned. Still, that is not a perfect solution as e.g. a malicious state-level actor (to not call names) could "patch" files right after they leave the ESET server, making every single copy of them modified in the same way. Everyone would download the same files, virustotal wouldn't complain but you would still end up with a malware/rootkit on your system. Not that likely scenario, but why is turning https on/providing official checksums not feasible?

 

PS. I actually purchased the license for the Linux version, in case it looked like I was writing about the trial version.

Edited by linux_user
Link to comment
Share on other sites
  • 2 weeks later...
rugk

rugk 397

Posted
Posted (edited)

Yeah you're right. It's really a good idea to offer the downloads "through" a HTTPS connection. Especially for Linux it would of course be useful, but also the other downloads can pushed through HTTPS.

 

Only as a side note: Much more important is to encrypt the update traffic, because there also the license data is sent.

Edited by rugk
Link to comment
Share on other sites
  • 2 months later...
rugk

rugk 397

Posted
Posted

hxxp://securityaffairs.co/wordpress/29589/cyber-crime/tor-exit-node-serves-malware.html

Isn't this a good argument for a HTTPS connection for all (binary) files that were downloaded from ESET?

 

Now I found the article from WeLiveSecurity about the issue: Tor users targeted with exit node malware

Link to comment
Share on other sites
rugk

rugk 397

Posted
Posted (edited)

I have experienced something new.

You can easily access the ESET (main) site (eset.com) through HTTPS. Just add the s to HTTP and it goes.

E.g. you can go to: https://www.eset.com/int/home/products/antivirus-linux/ and you will have a valid SSL connection.

Or here: https://www.eset.com/int/about/technology/

 

But unfortunately you can't download a file (.exe or a .linux executable) through HTTPS. You will be redirected to HTTP and if you try to add the S in HTTPS to the download URL the download will fail.

That's very sad, because this would be the important thing. (Why? See my post before as an example)

Edited by rugk
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...