{"id":611,"date":"2014-03-11T11:53:33","date_gmt":"2014-03-11T09:53:33","guid":{"rendered":"http:\/\/bergs.biz\/blog\/?p=611"},"modified":"2014-03-11T11:53:33","modified_gmt":"2014-03-11T09:53:33","slug":"insecure-self-updates-via-plain-http","status":"publish","type":"post","link":"https:\/\/bergs.biz\/blog\/2014\/03\/11\/insecure-self-updates-via-plain-http\/","title":{"rendered":"Insecure self-updates via plain HTTP"},"content":{"rendered":"

Yesterday I discovered by chance (since I was running the program whose name I will not disclose yet on my Mac where I’m using Little Snitch<\/a> to control outgoing connections) that a program created by one of the few software giants does not use<\/em> SSL to ensure the integrity of self-updates, but just uses plain HTTP so that attackers can modify downloads and thereby introduce malicious code.<\/p>\n

Immediately I got in touch with the manufacturer of the application, and only 9 hours later they came back to me with the below response:<\/p>\n

Right now <unnamed product> download server supports only HTTP and not HTTPS, so we don't have any immediate solution to offer. However we are keeping notes of this concern and we will address it.<\/pre>\n
Is this not simply unbelievable?!<\/p>\n
Remember we’re not talking about someone who does this for a hobby, who may not have the money or time or even knowledge to implement SSL on their server. But we’re talking about one of the largest IT companies in the world… \ud83d\ude41<\/p>\n
I will now wait for a while, and if they haven’t fixed the issue by then I will disclose it on my blog anyway to put pressure on them… But maybe they do it intentionally in order to aid the NSA?! :-\/<\/p>\n","protected":false},"excerpt":{"rendered":"
Yesterday I discovered by chance (since I was running the program whose name I will not disclose yet on my Mac where I’m using Little Snitch to control outgoing connections) that a program created by one of the few software giants does not use SSL to ensure the integrity of self-updates, but just uses plain […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,46],"tags":[116,36],"class_list":["post-611","post","type-post","status-publish","format-standard","hentry","category-computers","category-security-computers","tag-self-updates","tag-ssl"],"yoast_head":"\nInsecure self-updates via plain HTTP - Ralf's Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/bergs.biz\/blog\/2014\/03\/11\/insecure-self-updates-via-plain-http\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Insecure self-updates via plain HTTP - Ralf's Blog\" \/>\n<meta property=\"og:description\" content=\"Yesterday I discovered by chance (since I was running the program whose name I will not disclose yet on my Mac where I’m using Little Snitch to control outgoing connections) that a program created by one of the few software giants does not use SSL to ensure the integrity of self-updates, but just uses plain […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/bergs.biz\/blog\/2014\/03\/11\/insecure-self-updates-via-plain-http\/\" \/>\n<meta property=\"og:site_name\" content=\"Ralf's Blog\" \/>\n<meta property=\"article:published_time\" content=\"2014-03-11T09:53:33+00:00\" \/>\n<meta name=\"author\" content=\"Ralf Bergs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ralfbergs\" \/>\n<meta name=\"twitter:site\" content=\"@ralfbergs\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ralf Bergs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/2014\\\/03\\\/11\\\/insecure-self-updates-via-plain-http\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/2014\\\/03\\\/11\\\/insecure-self-updates-via-plain-http\\\/\"},\"author\":{\"name\":\"Ralf Bergs\",\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/#\\\/schema\\\/person\\\/354e37390b493c875f972bd313d29201\"},\"headline\":\"Insecure self-updates via plain HTTP\",\"datePublished\":\"2014-03-11T09:53:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/2014\\\/03\\\/11\\\/insecure-self-updates-via-plain-http\\\/\"},\"wordCount\":190,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/#\\\/schema\\\/person\\\/354e37390b493c875f972bd313d29201\"},\"keywords\":[\"self-updates\",\"ssl\"],\"articleSection\":[\"Computers\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/bergs.biz\\\/blog\\\/2014\\\/03\\\/11\\\/insecure-self-updates-via-plain-http\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/2014\\\/03\\\/11\\\/insecure-self-updates-via-plain-http\\\/\",\"url\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/2014\\\/03\\\/11\\\/insecure-self-updates-via-plain-http\\\/\",\"name\":\"Insecure self-updates via plain HTTP - Ralf's Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/#website\"},\"datePublished\":\"2014-03-11T09:53:33+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/2014\\\/03\\\/11\\\/insecure-self-updates-via-plain-http\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/bergs.biz\\\/blog\\\/2014\\\/03\\\/11\\\/insecure-self-updates-via-plain-http\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/2014\\\/03\\\/11\\\/insecure-self-updates-via-plain-http\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Insecure self-updates via plain HTTP\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/\",\"name\":\"Ralf's Blog\",\"description\":\"Just another WordPress weblog\",\"publisher\":{\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/#\\\/schema\\\/person\\\/354e37390b493c875f972bd313d29201\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/#\\\/schema\\\/person\\\/354e37390b493c875f972bd313d29201\",\"name\":\"Ralf Bergs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Ralf-Tower-2026-1024x1024.jpg\",\"url\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Ralf-Tower-2026-1024x1024.jpg\",\"contentUrl\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Ralf-Tower-2026-1024x1024.jpg\",\"width\":1024,\"height\":1024,\"caption\":\"Ralf Bergs\"},\"logo\":{\"@id\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/Ralf-Tower-2026-1024x1024.jpg\"},\"description\":\"Geek, computer guy, licensed and certified electrical and computer engineer, husband, best daddy.\",\"sameAs\":[\"https:\\\/\\\/bergs.biz\\\/\",\"https:\\\/\\\/linkedin.com\\\/in\\\/ralfbergs\\\/\",\"https:\\\/\\\/x.com\\\/ralfbergs\"],\"url\":\"https:\\\/\\\/bergs.biz\\\/blog\\\/author\\\/rabe\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Insecure self-updates via plain HTTP - Ralf's Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/bergs.biz\/blog\/2014\/03\/11\/insecure-self-updates-via-plain-http\/","og_locale":"en_US","og_type":"article","og_title":"Insecure self-updates via plain HTTP - Ralf's Blog","og_description":"Yesterday I discovered by chance (since I was running the program whose name I will not disclose yet on my Mac where I’m using Little Snitch to control outgoing connections) that a program created by one of the few software giants does not use SSL to ensure the integrity of self-updates, but just uses plain […]","og_url":"https:\/\/bergs.biz\/blog\/2014\/03\/11\/insecure-self-updates-via-plain-http\/","og_site_name":"Ralf's Blog","article_published_time":"2014-03-11T09:53:33+00:00","author":"Ralf Bergs","twitter_card":"summary_large_image","twitter_creator":"@ralfbergs","twitter_site":"@ralfbergs","twitter_misc":{"Written by":"Ralf Bergs","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/bergs.biz\/blog\/2014\/03\/11\/insecure-self-updates-via-plain-http\/#article","isPartOf":{"@id":"https:\/\/bergs.biz\/blog\/2014\/03\/11\/insecure-self-updates-via-plain-http\/"},"author":{"name":"Ralf Bergs","@id":"https:\/\/bergs.biz\/blog\/#\/schema\/person\/354e37390b493c875f972bd313d29201"},"headline":"Insecure self-updates via plain HTTP","datePublished":"2014-03-11T09:53:33+00:00","mainEntityOfPage":{"@id":"https:\/\/bergs.biz\/blog\/2014\/03\/11\/insecure-self-updates-via-plain-http\/"},"wordCount":190,"commentCount":0,"publisher":{"@id":"https:\/\/bergs.biz\/blog\/#\/schema\/person\/354e37390b493c875f972bd313d29201"},"keywords":["self-updates","ssl"],"articleSection":["Computers","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/bergs.biz\/blog\/2014\/03\/11\/insecure-self-updates-via-plain-http\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/bergs.biz\/blog\/2014\/03\/11\/insecure-self-updates-via-plain-http\/","url":"https:\/\/bergs.biz\/blog\/2014\/03\/11\/insecure-self-updates-via-plain-http\/","name":"Insecure self-updates via plain HTTP - Ralf's Blog","isPartOf":{"@id":"https:\/\/bergs.biz\/blog\/#website"},"datePublished":"2014-03-11T09:53:33+00:00","breadcrumb":{"@id":"https:\/\/bergs.biz\/blog\/2014\/03\/11\/insecure-self-updates-via-plain-http\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/bergs.biz\/blog\/2014\/03\/11\/insecure-self-updates-via-plain-http\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/bergs.biz\/blog\/2014\/03\/11\/insecure-self-updates-via-plain-http\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/bergs.biz\/blog\/"},{"@type":"ListItem","position":2,"name":"Insecure self-updates via plain HTTP"}]},{"@type":"WebSite","@id":"https:\/\/bergs.biz\/blog\/#website","url":"https:\/\/bergs.biz\/blog\/","name":"Ralf's Blog","description":"Just another WordPress weblog","publisher":{"@id":"https:\/\/bergs.biz\/blog\/#\/schema\/person\/354e37390b493c875f972bd313d29201"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/bergs.biz\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/bergs.biz\/blog\/#\/schema\/person\/354e37390b493c875f972bd313d29201","name":"Ralf Bergs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2026\/04\/Ralf-Tower-2026-1024x1024.jpg","url":"https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2026\/04\/Ralf-Tower-2026-1024x1024.jpg","contentUrl":"https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2026\/04\/Ralf-Tower-2026-1024x1024.jpg","width":1024,"height":1024,"caption":"Ralf Bergs"},"logo":{"@id":"https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2026\/04\/Ralf-Tower-2026-1024x1024.jpg"},"description":"Geek, computer guy, licensed and certified electrical and computer engineer, husband, best daddy.","sameAs":["https:\/\/bergs.biz\/","https:\/\/linkedin.com\/in\/ralfbergs\/","https:\/\/x.com\/ralfbergs"],"url":"https:\/\/bergs.biz\/blog\/author\/rabe\/"}]}},"_links":{"self":[{"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/posts\/611","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/comments?post=611"}],"version-history":[{"count":1,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/posts\/611\/revisions"}],"predecessor-version":[{"id":612,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/posts\/611\/revisions\/612"}],"wp:attachment":[{"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/media?parent=611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/categories?post=611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/tags?post=611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}