The easiest solution is to migrate downloads to https links and to go for a https-only strategy. It's not about encryption but about authentication and integrity (both are provided by TLS out of the box). Please get yourself a free Let's Encrypt certificate and start over using TLS.
Please also note that using cryptographic hashes such as SHA-256 don't mitigate this issue as long as the hash itself is not provided via a secure channel (such as via TLS).
Please also don't forget to switch links in the download itself so that future updates are directly downloaded via https (and not via 301'd http request).
Please also don't forget to use secure connections when uploading a download (SSH or TLS).
enriquepiatti
commented
6 years ago
Download links such as
http://www.magicento.com/rest/plugin/download?key=...are not safe against MITM attacks.If you think this is not an issue, please read this article: https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/ The whole issue has now been seen in the wild and the scenario is likely to worsen.
The easiest solution is to migrate downloads to https links and to go for a https-only strategy. It's not about encryption but about authentication and integrity (both are provided by TLS out of the box). Please get yourself a free Let's Encrypt certificate and start over using TLS.
Please also note that using cryptographic hashes such as SHA-256 don't mitigate this issue as long as the hash itself is not provided via a secure channel (such as via TLS).
Please also don't forget to switch links in the download itself so that future updates are directly downloaded via https (and not via 301'd http request).
Please also don't forget to use secure connections when uploading a download (SSH or TLS).