This project has moved and is read-only. For the latest updates, please go here.

The most prominent download option uses HTTP

Topics: Technical Issues
Dec 10, 2016 at 6:27 AM
The large purple download button at the CodePlex home page of VeraCrypt (https://veracrypt.codeplex.com/), downloads the installer when clicked via HTTP posing a potential security risk.

If you can't configure the CodePlex project so that the download link uses HTTPS you should probably consider moving the project away from CodePlex to a dedicated site where you can make sure that all download options use HTTPS.
Dec 10, 2016 at 12:46 PM
I noticed that too. Like it is not enough Microsoft is behind codeplex. Here's a reply form Mt. idrassi, the author:
https://veracrypt.codeplex.com/discussions/659265

I prefer to download from launchpad mirror, https everywhere.
Dec 11, 2016 at 1:13 PM
When using the browser add-on "HTTPS Everywhere", the binary gets downloaded from https://download-codeplex.sec.s-msft.com when clicking the purple button.

So is seems to be technically possible to download via a TLS-secured connection using CodePlex.

This should get enforced as well for users not using such a browser add-on, though.
Dec 11, 2016 at 8:01 PM
Why should one care about the download connection?? EVERYBODY should check the pgp signature... thats it....
Dec 11, 2016 at 8:56 PM
While everyone should, it's pretty unrealistic to expect that everyone does...