Prototype version... elvey.com/insecure

The Internet is STILL plagued by insecure updates. It's been years since the problem of insecure updates was publicized, but most of the computer software industry still seems to be ignoring the problem, including many security software firms! Perhaps 1 out of 4 software updates is available securely. I've been blogging about this for some time... Looked into and tried various ways of shaming the major players into fixing up their act, and I've been successful in getting a few (including Google, Objective Development and Prey) but unsuccessful with most (Amazon, Adobe (Flash), Cisco-?, Mozilla (Firefox, etc.), Microsoft (e.g. Silverlight for Mac OS X cannot be downloaded securely; Microsoft Support confirmed this AND stated that they do NOT intend to address the problem), Apple (Mac OS X combo update SHA1 checksums are posted on https-accessible web pages, but they're mixed-security pages, and so still insecure. I reported this to product-security@ on Wed, 13 Dec 2006. However, they are still (as of October, 2011) serving even current combo updates via mixed-security web pages. Fortunately, they ARE now serving the combo updates themselves over https), ShedWorx (makers of Cosmos for iOS, Cosmos for Mac, VoltaicHD, RevolverHD, Jaksta, mkvWatch, HD Quick Look, Music Converter Pro 1.2 and Smart Converter Pro and non-Pro. Reported 09/20/2011, still insecurable 2/8/2012), etc.)

All of the major package managers for Linux try to be secure but all have vulnerabilities.

So, we need a well-maintained, well-publicized list that names and shames those that don't get with the program. This is to be that list.

-Matthew Elvey.

June 7, 2011. (Initial version. Revised occasionally.) ... Feb 8, 2012. (Version 1.5,)