For a significant site distributing software in this day and age, it’s odd. Given that the pages themselves could be modified in transit, a PGP signature or the hashes listed on a mirror list page aren’t on their own so reassuring, at least against concerns of intentional compromising of the downloaded file (as opposed to accidental corruption).
While documents like the mirror list and PGP signature can be retrieved over HTTPS (although links on libreOffice.org and from the button in software’'s own update check dialog lead to an HTTP page), the binary package download links are still all HTTP. Even if you edit the URL of the “Download file from preferred mirror” link to HTTPS, it doesn’t help: You get a 302 redirect to an HTTP mirror. e.g.
https://download.documentfoundation.org/libreoffice/stable/5.1.4/mac/x86_64/LibreOffice_5.1.4_MacOS_x86-64.dmg
sends me (via an HTTP 302 redirection) to
http://noodle.portalus.net/tdf/libreoffice/stable/5.1.4/mac/x86_64/LibreOffice_5.1.4_MacOS_x86-64.dmg
What gives? Offering only HTTP downloads is severely anachronistic, like something out of the era when downloading from SunSITE mirrors was common. In 2016, MitM attacks are a reality.
Currently, to be reasonably sure they’re getting a legitimate file, a user has to go though an unnecessary number of hoops:
- Download the binary package.
- Go to the download mirror page.
- Click on the SHA-256 link.
- In the browser’s address bar, manually change the URL to https://…, and hit Enter.
- Save that file (making sure the browser doesn’t append an extension like “.txt”, something like filename.sha256.txt)
- Run a check, e.g. on OS X, “shasum -a 256 -c LibreOffice_5.1.4_MacOS_x86-64.dmg.sha256”
Most users will not do that. The current arrangement therefore seems irresponsible to me. Is there some compelling reason I’m missing to not offer LibreOffice over HTTPS? If it’s that the Document Foundation hasn’t been able to get all the mirror providers on board to serve over HTTPS, why not at least get some of them to do so, and only redirect to those ones from any 302 redirection served by https://download.documentfoundation.org/… requests? (and on the mirror list pages, explicitly mark the others as insecure HTTP).