3

I am downloading an inbetween version of MacOS necessary to update to High Sierra from an older version of El Capitan from here.

Funny thing is, when I right click and get the download link from Chrome, it gives me an HTTP, not HTTPS. So, I attempted to get it with a browser and using wget and no matter how I try to get it, I get a 302 moved temporarily redirect to an insecure connection.

Try it: https://support.apple.com/downloads/DL1930/en_US/macosupd10.12.6.dmg

That link will redirect to the non-secure version of itself. There is no way to know that the dmg file you get has been altered.

Arminius
  • 43,922
  • 13
  • 140
  • 136
Timothy Swan
  • 141
  • 2
  • 1
    I modified the question to make it more concise. I hope you're fine with me editing out the "NSA" part (and hopefully don't think I'm part of a larger conspiracy). – Arminius Oct 28 '17 at 02:43
  • The dmg file has a checksum, and is verified by MacOS – user2497 Oct 28 '17 at 13:21

1 Answers1

2

It's common practice to offer large file downloads over plain HTTP and rely on other means to ensure file integrity. Since your MacOS checks signature before installing the update (or anything else) and thereby verifies that the file has not been altered, you don't risk installing malware.

This procedure compromises confidentiality (an eavesdropper can see what you're downloading), but it is somewhat faster since it skips the TLS encryption/decryption parts.

Edit: Turns out we have already discussed this in-depth: Why aren't application downloads routinely done over HTTPS?

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • The NSA must have hired you to say this!! Kidding. I was actually hoping for an answer like this. It makes sense for large files. It's like the NIX package manager using hashes to verify the library content. – Timothy Swan Oct 28 '17 at 02:40