I just downloaded avast, and I don’t have another antivirus currently installed. Moreover, the download is made from 01net.com using a non crypted connection.
How, in these conditions, can I be sure I am installing the actual avast antivirus, and not some malware that is trying to look like avast? I don’t see the point in installing a security software if I can not trust the download source.
Is there a place where I can get an MD5 or SHA1 for the installer with an official https://avast.com address?
Since you are already on the forum why did you not download from here rather than some untrusted site ??? Choose the version you’d like from here http://forum.avast.com/index.php?topic=133788.0
Thanks for the links, I did not know it was hosted on avast.com too (as the main avast page redirected me to another site without asking for my preference).
However, this does not really solve the issue. HTTP is not secure. I would have thought avast would provide a way to authenticate the downloaded file, whatever the download source, through a secure protocol (https, on the avast site). Maybe I’m wrong though.
I know it is unlikely that someone manages to distribute hacked versions of the anti-virus (for example through a “man in the middle” attack of the avast website?), but as far as I know it’s possible. That would allow the attacker not only to install a malware on user computers (that could steal passwords etc.), but also to do so completely undetected since the false anti-virus would of course not report itself as a virus, and users would think they are protected. Or maybe I’m wrong and such an attack is not possible, in which case please tell me how.
EDIT: I just tried changing the protocol in the download links you sent me (https instead of http), and it works So It’s good for me. It’s probably heavier for avast hosting to send the whole installer on an encrypted connection than just provide an MD5 or SHA1 key, but that’s their problem… Thanks.