Can I use http for my customers to download signed installation files?
Question
I am planning to host a clickonce application in a web server and want to give access over http (NOT httpS). The application is signed with a certificate. I assume that this should be OK not to use https because man-in-the-middle attacks cannot spoof the singed binaries. I've following questions regarding this.
- Are there any other security threats that I should be aware of?
- Does using http over https increase perceivable performance (assume there are many clients downloading the setup files from server. There should be less overhead on server with plain http)
thanks.
1 answers
solution1
0 2014-02-13 07:41:33
If there is any kind of access control on the application, using http makes it easier for someone to retrieve the application from a network trace, or find out the real URL.
(I use this sometimes when i'm interested in an .apk file. There's no easy way to get the .apk in google play, but when i start a network trace on my router, then have my android install the apk, i can get the URL from the trace and download the same URL to my PC. No rootkits or special software required).
If you have a recent CPU and software stack, then the crypto part of https is done in hardware in the CPU, which means there is little or no detectable overhead in https.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.