2012-11-27 07:20:21 by chort
Today I tried to download some anti-virus software from the manufacturer's site. When I clicked the Download button embedded in their site, it sent me to a CNET download page, which I assume would have downloaded one of those special CNET installers. I say assume, because I didn't actually bother to download it once I realized I had been redirected to CNET.
That was an example of a wrong way to provide a software download, but what is the correct way to do it?
When people install software on their computer, it's an act of trust, whether they realize it or not. Most people probably make some unconscious judgements about the trustworthiness of software, based on how professional the website looks, how credible the name sounds, and whether other users appear to have installed the same software. More savvy computer users will want additional assurance that they're installing authentic, unaltered software from a reputable source. Here are a few tips to avoid looking shady when your potential customers download software.
1. Provide, on your own website, checksums of the file (if it's compressed, provide checksums for both the archive and the uncompressed installer)
2. Don't use MD5 for the integrity checksum. Ideally you should post the output of two different algorithms, so a potential attacker couldn't create a file that collides with both simultaneously (even if either one could be defeated on it's own).
3. Provide all downloads over HTTPS, so users can verify their connection hasn't been subverted by a man-in-the-middle attack.
4. Host the files on your own domain, if you can. If not, provide the checksums and the download domain information on your site, over HTTPS, so users can verify what domain they will be redirected to.
5. Don't bundle extra software that you get paid to include. This is nothing more than a trick to get users to install software they don't want, don't need, and is probably a net loss of value to them. Forcing unwanted software on users is inherently dishonest and repugnant behavior.
6. Go the extra mile and sign the download with PGP, especially if it's security or privacy software. It's true most users won't bother to check the signature, but for people who rely on trustworthy software in dangerous situations, this can literally be a life-saver.
If a company or open source project can't be bothered to do any of the steps above, how little do they care about the quality of product they're delivering?
- Comments (0)