Security: Windowblinds checks for updates and downloads over HTTP

It's only recently that the forum has been delivered via HTTPS; Stardock has been a holdout when it comes to making us enter passwords into insecure HTTP.

In fact, they embedded plaintext HTTP images in the release notice for Windowblinds 10.6 which makes the lock in the browser disappear.

Stardock's own website Wincustomize (which is linked from WindowBlinds) is also plaintext by default, especially for login.  Clicking Login pops up "Not secure" on the Chrome address bar.

I just logged out and logged back in using Chrome and it says secure https. I have Chrome's latest update version 57.

Hi again!

You probably know this already, and perhaps you're already taking steps to improve it, but I can see that WindowBlinds makes some of its calls across the internet using HTTP, not HTTPS. In this example, it's checking for updates. I haven't done a full check of the network traffic, but I'd hope the registration and trial pages don't do the same thing. Since most of this website is HTTPS now, it would be surprising.

In addition, the installers for new versions of WindowBlinds come from http://storage.stardock.com which is also insecure. However, interestingly, storage.stardock.com does work over HTTPS if you ask it to, so perhaps consider setting up permanent redirects and HSTS pinning on your site to keep everyone safe. As someone who's dabbled in IIS before, I know this is really easy to configure.

End of quote

There is no need for the manual version check to be HTTPS.  It is simply a lookup to a single URL which returns a text file.  No secure information is sent either direction.  HTTPS alone offers very little in the way of additional safety over HTTP.

If there is a file found it will check locally what the versions are and then go to a hardcoded location to tell you about the updates, not any URL in the file returned.

The automatic check uses a different system.

That's somewhat reassuring. Hopefully the code which compares the version numbers is not vulnerable to buffer overruns etc! I'd still recommend updating that at some point as a matter of best practice.

Is there any ETA for making sure downloads are served over HTTPS? That's the biggest risk to end users. It should be as simple as setting up IIS redirects and updating some web pages.

And as BFeely said, it would be great to get that on WinCustomize too. Anywhere that serves downloads or accepts user logins.

Oh, as a side note, it's impossible to update avatars on this forum. It requires not only using Flash Player, but also allowing mixed content (HTTP on HTTPS pages). Out of shear curiosity, I did both of these unsafe things to test it out, and it still failed to upload the file (server reported back with error 500).

You're accessing this forum via 'Stardock Forums'.  Stardock's sites [there are MANY] each have a Forum, mostly interlinked but filtering out some sections as 'irrelevances'.  The system is quite complex and extensive and mostly unnoticed by a new user.

One site... Joe User https://forums.joeuser.com/ can and does facilitate Avatar changes [effective on all sites] though as with any net site you'll likely need to clear your browser cache before you see the change...;)

Well, that certainly sounds complicated!

Just to be sure, are you saying I should log into the JoeUser forum with my Stardock credentials?

Actually, no need. I found that using the Change Avatar feature on the Stardock 'My Account' section seemed to do the trick.

For your reference, the page I was trying to use was here: https://forums.stardock.com/account/images I'm not sure if those pages can be changed or disabled depending on what the underlying forum software is.