The whole point of WinSCP is to provide a secure channel between a computer and a server. "Secure" means that there is a possibility of an attacker that can view or modify bytes sent both ways. Let's assume I have keys from the server but have no WinSCP installed (or have it but want to update it). In that case I'm going to download WinSCP from winscp.net which is NOT https and thus webpages I get can be changed by an attacker that is capable of modifying bytes sent/recieved. Download webpage provides checksums which can also be modified by an attacker.
Questions are:
How come WinSCP authors did not implement https yet on the website?
What can I do to prevent described attack?
Aucun commentaire:
Enregistrer un commentaire