My clamwin piped up that it should be updated. And then opened the Browser, pointing to an unprotected http:// link.
Please at least use https for downloads triggered by the update mechanism of clamwin (yes, yes, I know, users will ignore https certificate warnings in any case, but clamwin might check it in the ideal case...)
With plain http, DNS spoofing, hosts.txt entries or man in the middle could be used to trigger the download of a tampered with clamwin executable.
Log in to post a comment.