3

Are there any security reasons why a network admin would block downloads over HTTP, but allow them over HTTPS?

peterh
  • 4,953
  • 13
  • 30
  • 44
user1450877
  • 149
  • 4
  • Are you sure that its not simply that the packet inspection mechanism that your network admin is using can only detect downloads over HTTP, not over HTTPS due to the encryption? – Rob Farr Aug 03 '17 at 11:12
  • @Rob Farr fairly certain. There is a policy of blocking downloads over http but not Https. I just wanted to understand the reasoning behind it because it appears to be unnecessary and causes a lot of problems. – user1450877 Aug 03 '17 at 11:20
  • What did the network administrator say when you asked them? – Jenny D Aug 03 '17 at 20:46
  • probably you want to ask this at https://security.stackexchange.com/ – sebix Aug 04 '17 at 19:56

3 Answers3

10

If we talk about static file downloads without any authentication, the ability to ensure data integrity is one reason. However, encrypting the connection is just one tool for that as you could also use checksums to make sure that the data haven't been modified during the transmission.

However, blocking all HTTP downloads from anywhere will cause more problems than it would solve, as some content is only available on HTTP. From the opposite perspective, it's perfectly fine to provide downloads only via HTTPS for data integrity, and it additionally helps protecting the information on who downloaded what.

On the other hand, HTTP downloads have one advantage from the perspective of network administration: you can run virus (and other content) checks against the file in a firewall/UTM, before it even gets to the client computer. With HTTPS you would need to decrypt the TLS first; that would technically be a man-in-the-middle attack, while it has a legitimate purpose.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • I agree, that blocking http-downloads cuases more problems than it solves. But with integrity you are wrong. The integrity is never checked automatically (not in http and not in https). You could only manually check the integrity with some md5 or sha checksums or using the "Content-MD5" http Header, if it is defined – Radon8472 Aug 03 '17 at 10:53
  • 1
    Correct. Using HTTPS only prevents **intentional tampering** of the data. – Esa Jokinen Aug 03 '17 at 10:56
  • HTTP downloads may also contain authentication cookie information in the request headers. This would let a person sniffing the network to hijack a session which, in some cases, is worse than allowing an attacker to learn who is downloading what. – lungj Aug 03 '17 at 15:03
  • That's why I had _without any authentication_. :) – Esa Jokinen Aug 03 '17 at 15:07
  • Unless the network is also filtering/poisoning DNS and blocking public DNS, you can still visit `https://evil.example.com/StuxCry.exe.vbs` – Nick T Aug 03 '17 at 20:10
2

I think yes, there are some reasons why downloads via http could be dangerous.

  • without https you could suffer of Man-In-The middle attacks.
    • e.g. somebody tries to download software from a trusted page, but instead he gets a file with a virus
  • without https you can see the full request uris in your http traffic, with https you see only the hosts
  • if you do download from a page with http-login, someone could "see" your login-data when you are not using https
Radon8472
  • 185
  • 8
-1

I think because HTTPS is an encrypt message and protects your download content against eavesdropping and tampering

ben
  • 21
  • 2