[clamav-users] Why virus definition DB download url is not https?
Paul Kosinski
clamav-users at iment.com
Fri Dec 13 00:51:36 UTC 2019
Yeah, I also don't see that "plain" HTTPS adds to security. Unless ...
the download mechanism (libcurl?) makes sure the certificate presented
by the HTTPS server is really owned by ClamAV. (E.g., it could use its
builtin public key, rather than using the one sent by the HTTPS server.)
Otherwise, DNS hijacking (etc.) might route freshclam to a bogus server
which delivers a bogus DB using its *own* HTTPS cert. The DBs' embedded
signature(s) should be able to catch this, of course.
P.S. Validating the HTTPS cert would fail if freshclam is behind one of
those unpleasant HTTPS MITM proxies that some organizations use.
On Thu, 12 Dec 2019 11:56:20 -0800
Al Varnell via clamav-users <clamav-users at lists.clamav.net> wrote:
> Each DB's integrity is protected by an embedded signature, so https
> adds little or nothing to security here.
>
> -Al-
>
> On Dec 12, 2019, at 11:45, kaifeng zeng via clamav-users
> <clamav-users at lists.clamav.net> wrote:
> >
> > Hi,
> >
> > One of the recommended way to get the latest Virus definition DB is
> > through the following link. Why they are not https? Thanks!
> >
> > http://database.clamav.net/main.cvd
> > <http://database.clamav.net/main.cvd>
> >
> > http://database.clamav.net/daily.cvd
> > <http://database.clamav.net/daily.cvd>
> >
> > http://database.clamav.net/bytecode.cvd
> > <http://database.clamav.net/bytecode.cvd>
> >
> > Kaifeng
More information about the clamav-users
mailing list