Yeah, I also don't see that "plain" HTTPS adds to security. Unless ... the download mechanism (libcurl?) makes sure the certificate presented by the HTTPS server is really owned by ClamAV. (E.g., it could use its builtin public key, rather than using the one sent by the HTTPS server.)
Otherwise, DNS hijacking (etc.) might route freshclam to a bogus server which delivers a bogus DB using its *own* HTTPS cert. The DBs' embedded signature(s) should be able to catch this, of course. P.S. Validating the HTTPS cert would fail if freshclam is behind one of those unpleasant HTTPS MITM proxies that some organizations use. On Thu, 12 Dec 2019 11:56:20 -0800 Al Varnell via clamav-users <[email protected]> wrote: > Each DB's integrity is protected by an embedded signature, so https > adds little or nothing to security here. > > -Al- > > On Dec 12, 2019, at 11:45, kaifeng zeng via clamav-users > <[email protected]> wrote: > > > > Hi, > > > > One of the recommended way to get the latest Virus definition DB is > > through the following link. Why they are not https? Thanks! > > > > http://database.clamav.net/main.cvd > > <http://database.clamav.net/main.cvd> > > > > http://database.clamav.net/daily.cvd > > <http://database.clamav.net/daily.cvd> > > > > http://database.clamav.net/bytecode.cvd > > <http://database.clamav.net/bytecode.cvd> > > > > Kaifeng _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
