0

When downloading a file is there a safety concern when downloading from http connections/websites not https?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Luke F
  • 33
  • 1
  • 6

5 Answers5

3

Yes, there are plenty of security concerns with downloading over unencrypted lines.

But if you must download content over unencrypted http, as is still done for some package repos, you need at least to verify the file you download in some other way.

The most common way is to use a hash, downloaded over a trusted channel (https, usually) or which is signed by someone you trust.

In either case, you must take care to verify that the file you have the hash for is the specific file you wanted, not just any file ever produced by the trusted source. This is to avoid certain attack, such as where a "man in the middle" replaces the latest version of the application you want, with an older one (but issued with a hash signed by the correct source) known to be vulnerable.

Geir Emblemsvag
  • 1,589
  • 1
  • 11
  • 14
2

It's safe to download a file using http instead of https, if:

1)  The file does not contain private or sensitive information
2)  You have a way of verifying the integrity of the file after downloading it

With regard to 2, this is usually done by way of verifying a digital signature of the file made by a trusted signer using the signer's public key; or by verifying a checksum of the file, where the expected checksum is obtained from a trusted source.

As a matter of fact, for many years, Ubuntu ISO downloads from Ubuntu's servers were only available via http (and not https). This is because privacy was not a concern, and the ISO's were signed using Ubuntu's public keys (and checksums of the ISO's were published on one of Ubuntu's https sites). See https://askubuntu.com/questions/352952/are-repository-lists-secure-is-there-an-https-version

mti2935
  • 19,868
  • 2
  • 45
  • 64
1

Without the protection of HTTPS, it is easier to interfere with the connection and replace the file with something malicious.

schroeder
  • 123,438
  • 55
  • 284
  • 319
0

I think the response is no, a cracker could put an HTTPS server with malware on Internet and you will be download a valid HTTPS session.

camp0
  • 2,172
  • 1
  • 10
  • 10
0

Note that Chrome browser will soon start blocking http:// downloads started from https:// pages: https://security.googleblog.com/2020/02/protecting-users-from-insecure_6.html

Z.T.
  • 7,768
  • 1
  • 20
  • 35