Eyes Above The Waves

Robert O'Callahan. Christian. Repatriate Kiwi. Hacker.

Wednesday 19 October 2016

Dell, Your Website Security Is Broken

You can download firmware and BIOS updates from Dell. Unfortunately the download link is plain HTTP :-(. Fortunately the page provides SHA hashes for the download, which are even correct --- though I imagine practically no-one checks them. Unfortunately, the download page itself is plain HTTP so those hashes can't be trusted either :-(.

Interestingly, the download page is available via HTTPS as well, but Google searches for "Dell bios update" etc point to the insecure version of the site. I have no idea why that would be.


The page includes (both active and passive) mixed content. Google Search likely falls back to non-secure HTTP when linking to pages with mixed content issues.