Jump to content

Https Download?


Recommended Posts

You don't need a secure handshake with the servers to tell if it is genuine.

 

Just compare the Hash of the installer once its downloaded against what everyone else is reporting.

Use virustotal if you don't have a hash program.

If the installer you have has a different hash, THEN you can raise your eyebrows and report back here.

Link to post
Share on other sites

Thanks for your answer Arakasi! But I still think there is an issue here.

 

When you download the Windows version of ESET software you get a digitally signed executable so you're good even if there's no https, as Windows checks the signatures.

 

When you download the Linux version you don't have that luxury. Neither you are provided with the official checksums/hashes for the installer files and you have to resort to some other solution like the one you mentioned. Still, that is not a perfect solution as e.g. a malicious state-level actor (to not call names) could "patch" files right after they leave the ESET server, making every single copy of them modified in the same way. Everyone would download the same files, virustotal wouldn't complain but you would still end up with a malware/rootkit on your system. Not that likely scenario, but why is turning https on/providing official checksums not feasible?

 

PS. I actually purchased the license for the Linux version, in case it looked like I was writing about the trial version.

Link to post
Share on other sites
  • 2 weeks later...

Yeah you're right. It's really a good idea to offer the downloads "through" a HTTPS connection. Especially for Linux it would of course be useful, but also the other downloads can pushed through HTTPS.

 

Only as a side note: Much more important is to encrypt the update traffic, because there also the license data is sent.

Link to post
Share on other sites
  • 2 months later...

hxxp://securityaffairs.co/wordpress/29589/cyber-crime/tor-exit-node-serves-malware.html

Isn't this a good argument for a HTTPS connection for all (binary) files that were downloaded from ESET?

 

Now I found the article from WeLiveSecurity about the issue: Tor users targeted with exit node malware

Link to post
Share on other sites

I have experienced something new.

You can easily access the ESET (main) site (eset.com) through HTTPS. Just add the s to HTTP and it goes.

E.g. you can go to: https://www.eset.com/int/home/products/antivirus-linux/ and you will have a valid SSL connection.

Or here: https://www.eset.com/int/about/technology/

 

But unfortunately you can't download a file (.exe or a .linux executable) through HTTPS. You will be redirected to HTTP and if you try to add the S in HTTPS to the download URL the download will fail.

That's very sad, because this would be the important thing. (Why? See my post before as an example)

Link to post
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...