I went to download Sophos Anti-Virus for Mac, Home Edition and noticed that the download site was HTTP-only. Trying to simply substitute an https URL for the download gave me a certificate warning (the certificate identified some akamai CDN servers, not sophos.com).
Thankfully, SophosSupport on twitter was able to give me an MD5 of the download so that I could verify (sorta) that the .dmg i was downloading was indeed from Sophos. They also said they'd talk to the web team at Sophos about the certificate.
Now, arguably, most people won't blink twice when downloading software, but It really concerned me that I couldn't verify the identity of the server I was downloading this *executable* from. Home users won't have a Sophos web appliance to protect them ;)
Does Sophos plan to offer protection against MiTM (and/or hacked download server) attacks for its consumer products? And, out of curiosity, what other protections are provided against MiTM attacks for SAV-HE? Are auto-updates protected? How about IDEs/virus-definition updates?
(P.S. Kudos to Sophos for releasing this tool, looking forward to getting it installed)
This thread was automatically locked due to age.
