Are there any security reasons why a network admin would block downloads over HTTP, but allow them over HTTPS?
Security – Blocking HTTP downloads but not HTTPS
httphttpsSecurity
Related Topic
- Security – How to Deal with a Compromised Server
- Security – Our security auditor is an idiot. How to give him the information he wants
- Ftp – enable/disable resuming downloads feature on the server side
- Redirect all http AND https non-www URLS to https://www.example.com via htaccess
- Apache SSL – Is It Bad to Redirect HTTP to HTTPS?
- Nginx – Properly setting up a “default” nginx server for https
- Centos – Why are CentOS mirrors HTTP and not HTTPS
Best Answer
If we talk about static file downloads without any authentication, the ability to ensure data integrity is one reason. However, encrypting the connection is just one tool for that as you could also use checksums to make sure that the data haven't been modified during the transmission.
However, blocking all HTTP downloads from anywhere will cause more problems than it would solve, as some content is only available on HTTP. From the opposite perspective, it's perfectly fine to provide downloads only via HTTPS for data integrity, and it additionally helps protecting the information on who downloaded what.
On the other hand, HTTP downloads have one advantage from the perspective of network administration: you can run virus (and other content) checks against the file in a firewall/UTM, before it even gets to the client computer. With HTTPS you would need to decrypt the TLS first; that would technically be a man-in-the-middle attack, while it has a legitimate purpose.