Insecure Download Prompts for Admin Password

Discussion in 'Installation and Configuration of Parallels Desktop' started by GardnerB, Nov 2, 2017.

  1. GardnerB

    GardnerB Bit poster

    I am evaluating virtualization products for macOS. I just came to install Parallels and I noticed that it is downloaded insecurely over http. I searched the web for checksums of the file ParallelsDesktop-13.1.1-43120.dmg but could not find any. This is insecure because anyone in between me and the download server could rewrite the contents of the ParallelsDesktop-13.1.1-43120.dmg file which I would then run locally and enter my administrative password.

    Please raise this issue with your security team. Please enable HTTPS downloads or at least publish checksums of the files over HTTPS. BitTorrent has this baked into the protocol. Perhaps serving a .torrent file over HTTPS or even just a magnet link over HTTPS.

    The important thing is that one trustable thing must be served over a trusted channel. On the web, that is HTTPS.

    Ahh! I just noticed that if I manually add an S into the same URL then it downloads over HTTPS. For anyone wondering:
    c341ce475903925981d6f8bdd2f4c6b3 ParallelsDesktop-13.1.1-43120.dmg
    2646b38306d26a025cb936058710a82cef0bac5ac25cda4d9573bbc27325f52d ParallelsDesktop-13.1.1-43120.dmg

  2. rkulikov

    rkulikov Parallels Developers

    Just in case, if you are using macOS 10.11.5 or newer you may check signature of DMG image using codesign(1) tool.

Share This Page