#2067 Enable strict HTTPS with HSTS on 7zip.org website

[Fabio Pietrosanti (naif)]

Actually the 7-zip website is running in cleartext HTTP and for that reason it's users can be subject to MITM (Man in the Middle) attacks, by substituing the installation binaries being served by 7-zip.org domain .

The download web page contain direct link to .exe files with HTTP-only links http://7-zip.org/download.html .

OpenSource software like Bettercap [1] or MITMf [2] allow to do that, but it's publicly known that Governmental Trojans [3] [4] are being deployed against end-users that way.

The way to protect against such attacks is extremely simple, deploying HTTPS-only website configuring properly HSTS security [5] on the webserver .

This ticket is to ask 7-zip team to improve the 7-zip existing website to be HTTPS-only getting a rating of A+ on https://www.ssllabs.com https measurement service.

[1] https://github.com/evilsocket/bettercap-proxy-modules/blob/master/http/download_hijack.rb
[2] https://github.com/byt3bl33d3r/MITMf
[3] https://security.stackexchange.com/questions/152744/what-does-injection-proxy-mean-in-rcs-of-hackingteam
[4] https://theintercept.com/2014/03/12/nsa-plans-infect-millions-computers-malware/
[5] https://raymii.org/s/tutorials/HTTP_Strict_Transport_Security_for_Apache_NGINX_and_Lighttpd.html