Wednesday 19 October 2016

Dell, Your Website Security Is Broken

You can download firmware and BIOS updates from Dell. Unfortunately the download link is plain HTTP :-(. Fortunately the page provides SHA hashes for the download, which are even correct --- though I imagine practically no-one checks them. Unfortunately, the download page itself is plain HTTP so those hashes can't be trusted either :-(.

Interestingly, the download page is available via HTTPS as well, but Google searches for "Dell bios update" etc point to the insecure version of the site. I have no idea why that would be.


The page includes (both active and passive) mixed content. Google Search likely falls back to non-secure HTTP when linking to pages with mixed content issues.