For a while now, downloads from Microsoft sites like the MS Update Catalog have been flagged as shown in the attached images:
I searched the forum for 'unsafe downloads' but did not find anything on topic.
Does anyone know why MS cannot say their own files are safe, or is this now considered a feature, or just something that is not a priority for MS to change?
Perhaps it is just my OCD, but this bugs me.
Interesting. This has bugged me too for a while, but not enough that I bothered to investigate. It was one of those items to investigate "when I got around to it".
Prompted by your query, I did a search and found the following explanation:
https://docs.microsoft.com/en-us/ans...ded-secur.html
For reasons best known to themselves, Microsoft have chosen to deliver all downloads from an HTTP server, not an HTTPS one. Note the URL in this screenshot.
The warning that now appears is nothing to do with any changes MS have made, they have always been using an HTTP server. What has changed recently is that all browsers now alert you when you try to use an insecure connection like this one.
Yes, it makes no sense to me either
Bit there is no real insecurity. HTTPS primarily protects information you send to the website. It doesn't make a download any more secure.
https://www.microsoft.com/security/b...he-difference/Microsoft said:
What does make your download from the MS Catalog safe is the ability to check that what you downloaded has the correct SHA1 checksum. If you ever wondered why every download from MS has a very long random character string as the end part of its file name, now you know - it's the SHA1 checksum that you should get if you check the file. Amongst other things, 7-Zip can be used to generate a file's checksum.
Quote
