linux_user 2 Posted August 11, 2014 Share Posted August 11, 2014 I cannot find a working https:// download URL for the Linux installer, so there's no way I can be sure that the downloaded file is genuine. Can this be fixed? Link to comment Share on other sites More sharing options...
Arakasi 549 Posted August 12, 2014 Share Posted August 12, 2014 You don't need a secure handshake with the servers to tell if it is genuine. Just compare the Hash of the installer once its downloaded against what everyone else is reporting. Use virustotal if you don't have a hash program. If the installer you have has a different hash, THEN you can raise your eyebrows and report back here. Link to comment Share on other sites More sharing options...
linux_user 2 Posted August 12, 2014 Author Share Posted August 12, 2014 (edited) Thanks for your answer Arakasi! But I still think there is an issue here. When you download the Windows version of ESET software you get a digitally signed executable so you're good even if there's no https, as Windows checks the signatures. When you download the Linux version you don't have that luxury. Neither you are provided with the official checksums/hashes for the installer files and you have to resort to some other solution like the one you mentioned. Still, that is not a perfect solution as e.g. a malicious state-level actor (to not call names) could "patch" files right after they leave the ESET server, making every single copy of them modified in the same way. Everyone would download the same files, virustotal wouldn't complain but you would still end up with a malware/rootkit on your system. Not that likely scenario, but why is turning https on/providing official checksums not feasible? PS. I actually purchased the license for the Linux version, in case it looked like I was writing about the trial version. Edited August 12, 2014 by linux_user Link to comment Share on other sites More sharing options...
Arakasi 549 Posted August 12, 2014 Share Posted August 12, 2014 Well said. Maybe providing a secure download link would be a decent move for ESET to make for the linux version. Link to comment Share on other sites More sharing options...
rugk 397 Posted August 25, 2014 Share Posted August 25, 2014 (edited) Yeah you're right. It's really a good idea to offer the downloads "through" a HTTPS connection. Especially for Linux it would of course be useful, but also the other downloads can pushed through HTTPS. Only as a side note: Much more important is to encrypt the update traffic, because there also the license data is sent. Edited September 21, 2014 by rugk Link to comment Share on other sites More sharing options...
rugk 397 Posted October 30, 2014 Share Posted October 30, 2014 hxxp://securityaffairs.co/wordpress/29589/cyber-crime/tor-exit-node-serves-malware.html Isn't this a good argument for a HTTPS connection for all (binary) files that were downloaded from ESET? Link to comment Share on other sites More sharing options...
rugk 397 Posted November 2, 2014 Share Posted November 2, 2014 hxxp://securityaffairs.co/wordpress/29589/cyber-crime/tor-exit-node-serves-malware.html Isn't this a good argument for a HTTPS connection for all (binary) files that were downloaded from ESET? Now I found the article from WeLiveSecurity about the issue: Tor users targeted with exit node malware Link to comment Share on other sites More sharing options...
rugk 397 Posted November 2, 2014 Share Posted November 2, 2014 (edited) I have experienced something new. You can easily access the ESET (main) site (eset.com) through HTTPS. Just add the s to HTTP and it goes. E.g. you can go to: https://www.eset.com/int/home/products/antivirus-linux/ and you will have a valid SSL connection. Or here: https://www.eset.com/int/about/technology/ But unfortunately you can't download a file (.exe or a .linux executable) through HTTPS. You will be redirected to HTTP and if you try to add the S in HTTPS to the download URL the download will fail. That's very sad, because this would be the important thing. (Why? See my post before as an example) Edited November 2, 2014 by rugk Link to comment Share on other sites More sharing options...
Recommended Posts