3

Why is the site doing this? Is that a security flaw? In general, I'd be wary about using a http site instead of a https, although regarding truecrypt specifically, I came to trust it. I wonder why not use the higher standard of https.

Quora Feans
  • 1,861
  • 1
  • 12
  • 20

2 Answers2

3

The reason for this behavior is simply a poorly-run website. Today there's no logical reason to not serve a site over HTTPS, though that hasn't been true forever. Currently the only files I could find that are served over HTTPS are the PGP signatures. Though, critically, the page that links to those signatures is not served over HTTPS, which somewhat defeats the purpose.

It has been mentioned more than once that there is significant incentive for an attacker to MITM the truecrypt website and serve a modified version of their software, along with correspondingly updated PGP signatures and keys. And also the refusal of the truecrypt team to serve their website over SSL makes such an attack trivial for a correctly-positioned attacker.

So far, the truecrypt team hasn't cared.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • Either that or at least publish the sha256. Hashs are published in the blog https://truecryptcheck.wordpress.com/. But why would someone trust it? – Quora Feans Nov 06 '13 at 14:23
  • BTW, according to http://security.stackexchange.com/questions/4369/why-is-https-not-the-default-protocol?rq=1, apparently there are good reasons not to use HTTPS (but not in this case). – Quora Feans Nov 06 '13 at 16:24
2

Don't worry about it, this is the actual intended behaviour from the site. Site that is serving TrueCrypt or KeePass should be using HTTPS. It's an embarrassment that such sites are completely reluctant to follow such basic security standards.

There's no legitimate reason for these sites not to use HTTPS. Unfortunately, this is the way it is and there's nothing to do about it.

Adi
  • 43,808
  • 16
  • 135
  • 167