1

I actually check for TLS before I use any exe files.

I've been trying to download a bootable usb creator tool for windows. However, I can't find a single one that actually uses any form of TLS (or even a torrent).

Even canoncial seems to support this. http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-windows

This feels like a massive security hole. Why is it such common practice?

00500005
  • 111
  • 3
  • Is there a checksum provided somewhere on a HTTPS page? – thexacre Nov 05 '15 at 12:30
  • 1
    I guess you could more generally ask why HTTPS is not used everywhere on the web in general. In fact for large downloads it should make even less of a difference performance-wise (because the handshake is the most costly thing). – phk Nov 05 '15 at 12:46
  • @phk Executable content is a different level of vulnerability though. Browser rendered content has to make it through the browser sandbox and exploit browser vulnerabilities. A MIM attack on a downloaded executable bypasses all of that. – 00500005 Nov 05 '15 at 14:56
  • because https is not free and you have to pay to obtain certificate, people who try to give free content can't pay for extra things like https... – Froggiz Nov 05 '15 at 15:21
  • @Froggiz you're right, but that's still a bad answer. – 00500005 Nov 05 '15 at 15:36

0 Answers0