Gary Zellerbach's Weblog: Focus on eMarketing and Electronic Software Distribution

In "Why Downloads Fail, Part 4,"  I provided thoughts on why users end up with "corrupt" files after a download. While I felt the list was fairly complete, I've been reminded of another possible reason, albeit unpleasant to discuss. For the sake of completeness, I'd like to address it.

The question arises as to whether "bad guys" (and we know there are no shortage of them trying to make our lives miserable on the 'net) could introduce bogus content into files -- while they're downloading -- so that we unwittingly end up with something other than what we set out to get. I suppose that would qualify as a "corrupt" file, especially one that all of a sudden is full of spyware, adware, or root kits!

The theory goes that if we're not using SSL (that is, an encrypted and secured tunnel for our download content), someone could intercept a download somewhere between the server and the client and interject a trojan into the file. I assume this is possible but am definitely not convinced this is more than the most remote likelihood! If the file is an executable and compressed (as most of ours are), you can't just insert arbitrary bits into the stream and expect the file to still uncompress and install. Because SSL does exact a greater overhead on server capacity, and because my associates here generally agree that this is a very very remote possibility, we continue to use HTTP for our downloads. (The SDLC itself is all SSL, so when you login and such, your personal data is fully secured. It's just that once you click to download, we use HTTP, not HTTPS.)

If anyone reading this has ever witnessed or experienced an "injection" attack of this type, I'd love to hear about it. Please leave a comment and tell the tale!

To complete the picture here at Sun, though, I must say we do have an application coming out shortly that will use SSL for all downloads. We are very pleased to be integrating the Sun Update Connection client with the SDLC back-end. We have a set of web services that enable clients to leverage the SDLC's robust and scalable infrastructure for downloads, so they don't have to recreate the wheel (and of course we get great economies of scale this way too). As the Sun Update Connection client grows in popularity and handles more products and volume over time, it became apparent that leveraging SDLC was the right way to scale up. We've been working on the integration project for a number of months and have now completed development and successful testing. I'm not part of the Sun Update team so don't know exactly when they plan to release their next version, but I believe it will be pretty soon now.

Anyway, this client provides automated patch maintenance and installation for the Solaris operating system. The Update Connection team felt that if customers were going to trust us with an automated patching mechanism, it was critical that the entire transaction be secured, end-to-end. So we've built an HTTPS-based download web service that we'll be rolling out with their next release. So rest assured, your patches will be safe and secure! Now that we have this service, we are considering extending it to "regular" downloads, but that is still under discussion.

To close on this point, I will say you are at much greater risk downloading from an unknown source, especially in the realm of P2P (peer-to-peer downloads, such as BitTorrent). While I think BitTorrent is a great piece of software (we actually offer BitTorrent downloads for OpenSolaris), people have released many media files for distribution via BitTorrent that have been modified with "badware". (This is no fault of BitTorrent -- it's just a P2P distribution protocol. And this behavior is by no means limited to BitTorrent, it's just an example.) So be forewarned -- you greatly increase your risk of getting "corrupt" software if you decide to use P2P (or any means really) to obtain content from an unofficial source.

How to protect yourself? Always go to the source and get legitimate, licensed software. If the provider makes checksums available, you can use them to verify that your software is legitimate and complete after downloading. Be cautious with mirror sites -- anyone can name a file the same as the legitimate version, and you may not know the difference. (Note: If you use Sun Download Manager to download from Sun, most of our software will be checksummed automatically for you.)

Finally, I'd like to thank Anthony Bryan for getting me thinking a bit more about this particular subject. Anthony's doing some really innovative work around download manager technology -- check out his Metalink program!