I am a programmer. I recently developed an automation tool that periodically downloads couple of files over a non-secured (http) url.
Two files are:
- A text file that is very tiny (under 10KB) which has details about the version, checksum of the main file, the relative path from where to download, size of the file etc.
- A compressed (zip) file that contains a bunch of dat files which are actual files of interest.
Now the infosec team is raising questions on downloading the content from a HTTP site instead of HTTPS. The host doesn’t support https for whatever reasons. My question is how risky is the content to download from the site considering the following things.
Host is a popular anti-virus product (McAfee: download.nai.com).
It’s a direct download without any authentication/authorization.
The files are binary *.dat files which are actually virus definitions of McAfee’s command-line tool. These dat files are used internally by this tool.
I am guessing the reason McAfee has put them for public access is to offload overhead caused by using https. My gut feeling is there is no risk because if there was any McAfee would have provided a secured portal to its customers.