Skip to content

A solution to provide secure downloads using existing mirrors

There has been a lot of discussion on Twitter after security researchers noticed the VLC website does not use HTTPS by default, and many of the download mirrors do not support HTTPS at all. This potentially leaves thousands of new users vulnerable to malware injection every day.

This proof of concept MITM attack swaps out the download link and checksum, and this shows how that attack could be used to install a vulnerable version of VLC.

And although your binaries are signed, it still may be possible to trick users into clicking past warnings or trusting the wrong signature. How many people would really notice if their download was signed by “VLC Software Solutions” instead of “VideoLAN,” if they downloaded it from the official website?

Ultimately, it comes down to resources. VLC is not for profit, your download mirrors are provided for free, and you can’t control how they operate. From what I understand of the discussion so far, we need to find a solution that:

  1. Protects as many of your up-to-date users as possible, without excluding those who chose to run outdated, insecure browsers and operating systems.
  2. Doesn’t rely on using free US-based CDNs like Cloudflare or download services like GitHub.
  3. Doesn’t increase your hosting costs.

Solution

You can force supported browsers to use HTTPS by setting up HSTS. Browsers that don’t support this header will just ignore it and continue using the insecure (HTTP) version. HSTS should also make Google link to the secure version of the website form their search results.

This doesn’t really help if your mirrors, which you can’t control, are still using HTTP. The way I suggest you get past this is to create a lightweight installer that’s responsible for downloading VLC and verifying the checksum.

This installer would be tiny (a few kilobytes at most), and could easily be served from your own servers or a selection of secure mirrors that support SSL/TLS.

If you need more bandwidth on your servers, you can get an extra 97KB per download, simply by optimising your screenshot gallery. You could even move your images onto Cloudflare, since there is no law against serving screenshots of VLC in the US.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

VideoLAN code repository instance