What is the risk of downloading files from a non-secured sites

I am a programmer. I recently developed an automation tool that periodically downloads couple of files over a non-secured (http) url.

Two files are:

  1. A text file that is very tiny (under 10KB) which has details about the version, checksum of the main file, the relative path from where to download, size of the file etc.
  2. A compressed (zip) file that contains a bunch of dat files which are actual files of interest.

Now the infosec team is raising questions on downloading the content from a HTTP site instead of HTTPS. The host doesn’t support https for whatever reasons. My question is how risky is the content to download from the site considering the following things.

  1. Host is a popular anti-virus product (McAfee: download.nai.com).

  2. It’s a direct download without any authentication/authorization.

  3. The files are binary *.dat files which are actually virus definitions of McAfee’s command-line tool. These dat files are used internally by this tool.

I am guessing the reason McAfee has put them for public access is to offload overhead caused by using https. My gut feeling is there is no risk because if there was any McAfee would have provided a secured portal to its customers.

Is it a risk if an html code from a textbox is rendered on the next page but searched string is not shown on the url?

I found a website in which the results are rendered on the next page. From “/search” address, the data is forwarded to “/result” without any trailing characters(searched item) on the address. But the html code from the first page is rendered on the next page, and yes javascript execution can be executed. Is this still a security risk even though the searched string is not on the address url?

Risk of committing IdentityFile name for OpenSSH configuration to public repository

What is the risk of committing the IdentityFile line for each of my Host entries in my ~/.ssh/config to my public dotfiles repository? Would providing such information make it any easier for an attacker to compromise those keys?

cat ~/.ssh/config Host SE   Hostname security.stackexchange.com   User rage   IdentityFile ~/.ssh/security_key 

Versus

IdentityFile ~/.ssh/id_rsa 

Note: this is the default key name when invoking ssh-keygen.

Accidentally clicked spam email link on android, risk of malware?

I was browsing my spam folder on my phone in the gmail app and stupidly let curiosity get the better of me. The app had blocked images by default but I clicked to allow them as well as accidentally clicked a link in the email while scrolling through. A page began to load but I closed it before anything visually loaded as soon as I saw the URL.

I was on a Oneplus 5 android phone connected to my home WiFi. Android version 9 with August 1, 2019 security patch. Gmail app last updated Feb 12th 2020. The gmail app had permissions to my contacts, calendar, and storage at the time I clicked the link. The phone is rooted with magisk but no root prompts were given so I don’t think this is an issue..?

The email was a spam email about someone who had viewed me on linkedin recently. From long-pressing to copy the url, the link I believe I clicked was http://mycity.citywork.vn/wp-content/uploads/2020/twisterrt.php

I’ve already run a malwarebytes virus scan from the mobile app on the phone (came up clean) and changed the passwords (from another PC) to all 5 emails that I had linked in the gmail app as well as cleared the app caches and storage.

I was wondering if any experts could let me know what damage could possibly have been done considering the scenario (android device, home network, gmail app, clicked links in possibly malicious spam email causing a page to load, but no further prompts, user input, or changes as far as I was able to see), as well as if possible to investigate the link to determine what it was attempting to do/load.

I’m a fairly technical (and fairly paranoid) person looking for a fairly technical answer in terms of the potential of whether something malicious could have been run/installed on the device and whether a full device wipe is recommended.

Thanks in advance for your help!

PDF fonts, encodings, and risk potentials interacting with web browser

I once encountered a very interesting type of XSS on a website purely by accident. This website allows users to upload PDFs, and will open the PDF in browser with some builtin Javascript. What happened was I uploaded a paper of mine that contains a text <script>alert()</script>, and when I tried to open the PDF, the script magically got executed in the browser. I reported this issues to the webmaster, they fixed it but did not tell me what have happened. What I have also found is that this above text must be in a certain font so it will be executed (unfortunately I forgot what font it was).

Today, I was copying a piece of text from a PDF that was saved off a web page, and paste the text to a word document, and I found what displayed in the PDF as “certified” became “certiÕed”. Again, it only happens to a certain font, the font in that PDF is “open sans”, a wired font that my PDF editor does not have, but can still display.

I have very limited knowledge about PDF and fonts and encoding, I wonder if someone knowledgeable can explain what are the underlying reasons of my first and second observation. The first one is definitely a XSS breach, but does the second may bear any security risk?

Risk of specific changes to the “Trusted” security zone

Our EDI VAN provides software to transmit sensitive customer and business data between our ERP and their website. This software requires that I add several URLs (including one plain HTTP) to the “Trusted” security zone on Windows 10. It also requires that I enable “Display mixed content”, “Access data sources across domains”, and “Don’t prompt for client certificate selection when only one certificate exists” for that zone.

What are the security implications of these changes? Are any of them clearly unnecessary security risks that I should warn my managers about? I already have a low opinion of our EDI VAN, so my bias may be fueling my suspicion.

Higher risk of no certificate pinning on mobile apps vs web apps?

Talking with people, it is frequently considered that having a mobile application without certificate pinning is a vulnerability. But i rarely see people mentioning it for web applications.

The question is, why is this issue only mentioned for mobile apps? Is there a higher risk derived out of this vulnerability on mobile apps?

Thinking about it, considering that the degree of difficulty is about the same for installing a rogue certificate on both pc and mobile, i would say that the vulnerability should exist in both cases, but in the case of web apps, there would be no remediation action since the hpkp which i think is the only way to achieve cert pinning is becoming obsolete.

Now none of the people i’ve talked with could give some reasonable explanations, so that’s why i wanted to see if there is indeed any good justification for the mobile cert pinning.

Can I safely sell a used keyboard without risk of new owner recovering previous inputs?

As far as of my knowledge goes, keyboard don’t store keystrokes in their memory by default (excluding those bundled with keyloggers). The thing that comes to my mind though is that some keyboards do have some built-in memory for storing user’s preferences (e.g. gaming keyboards). Can this be somehow reprogrammed to store other data than just LEDs color combo?

Can I sell my keyboard without worrying that new owner might recover previous input in some way?

Cheers, Dominic