Downloading Microsoft Security Essentials via HTTPS

I want to download Microsoft Security Essentials on my brand new Windows 7 home PC. The official site presented to me is http://windows.microsoft.com/de-CH/windows/products/security-essentials, as I am located in Switzerland. The link to the actual package then is:

http://go.microsoft.com/fwlink/?LinkID=231276

The download is not secured with HTTPS. Why? Would this not be the first thing Microsoft should do? They could even deliver the certificate already with the OS to make it really secure.


Solution 1:

It's plain HTTP because all Microsoft software is digitally signed anyway; the signature is embedded in the .exe file and verified by Windows on launch. (I seem to remember that this is a requirement for all files posted in their Download Center.)

Unlike HTTPS, signing the actual download also means you can check the signature everywhere (such as copied from a CD or a friend).

Security warning Signature details

Solution 2:

Being transmitted over SSL does not make the download more secure in the way you are thinking. SSL simply hides the data that you are sending and receiving. So for instance, if you are sending a credit card number or login over the internet, an HTTPS connection would prevent any peeper from knowing what the contents of the data you sent contain.

Transmitting a fixed file from an encrypted source would only be, at best, marginally better since the contents of what you are receiving are already public. Even if it was on HTTPS, if someone had the data of where you were transmitting/receiving to/from, they could still likely deduce what you are downloading.

Solution 3:

Microsoft does not use HTTPS because you're not actually downloading the file from Microsoft's servers. The files are delivered using server which Microsoft does not own or control.

The download link you posted is just a redirect link, which on my machine eventually resolved to

http://mse.dlservice.microsoft.com/download/A/3/8/A38FFBF2-1122-48B4-AF60-E44F6DC28BD8/enus/x86/mseinstall.exe 

If you play with the url and make it HTTPS you get a certificate error. The message in Chrome says:

You attempted to reach mse.dlservice.microsoft.com, but instead you actually reached a server identifying itself as a248.e.akamai.net.

Microsoft, like many other companies, uses Content Delivery Networks (CDNs) to deliver its files using server which are geographically close to their users. In this case Akamai is the CDN which is serving Microsoft's downloads.

Solution 4:

There is no need to download over HTTPS. All software on their download centre is signed by Microsoft and authenticated during installation.