This one really should be filed under “well, duh“.

If you’re hosting content that can be misused, abused or exploited in any way, you really need to be using HTTPS. There’s no excuse. None.

And if you happen to host binary downloads of any kind, you’re sure doing many of us a favor if you (a) do this via HTTPS as well, and (b) provide checksums for said binaries.

It’s not only that I distrust various governments’ wish and ability to tamper with what flows through the ether. People also tend to download things while on untrusted networks. And who knows who might have infected te router there with some newfound malware. And even if the router is fine, then what about the printer? And the guy in the corner running arpspoof?

virtualbox

Let’s just stick to HTTPS. I’m sure we all agree that’s better.

Don’t we, Oracle?

Or do we?

All VirtualBox downloads are linked through http://download.virtualbox.org/*.

Fine, I’ll try downloading from https://download.virtualbox.org.

1

Err.. Ok, no HTTPS.

So where do these links take us anyways?

2

Oh, ok. So what about https://dlc.sun.com.edgesuite.net?

3

Right. Invalid certificate chain.

Fine. I’ll just download it over HTTP, then verify the checksum afterwards.

4

Seriously?

5

Great. So while dlc.sun.com.edgesuite.net does have an HTTPS endpoint, its certificate chain is invalid.

There’s no point in exposing checksums when they are hosted on the same server as the binaries. And even less so when that server neither adverts HTTPS support, nor has a valid SSL certificate.

I give up.

Leave a Reply

Your email address will not be published. Required fields are marked *