This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Updates use HTTP and not HTTPS - why?

Hi,

I've noticed that the Sophos updater downloads updates using HTTP.  Specifically, the  configuration in "/Library/Sophos Anti-Virus/sau.plist" lists "http://dci.sophosupd.com/osxhe" as the update URL.

This apparently cannot be changed to HTTPS.  From the documentation - https://www.sophos.com/en-us/medialibrary/PDFs/documentation/savmosx_8_nsgeng.pdf?la=en

Considering the concern over MitM attacks coupled with XML attacks, why is HTTPS not used?  FYI, I tried to modified the HTTP url to HTTPS;  the update will just fail.

Any input on this?  Can this be changed?

Thanks.



This thread was automatically locked due to age.