Maybe the download link on TPFC should be be changed or the same warning included? I do need to add a certificate exception for the SRWare homepage at https://www.srware.net/en/software_srware_iron.php.Homepage Warning: It is highly recommended you switch to something besides the default Iron homepage. It may contain ads or links to fake adware-containing downloads.
SRWare Iron Homepage
SRWare Iron Homepage
Probably has been discussed before. Anyway, from http://portableapps.com/apps/internet/iron_portable.
Re: SRWare Iron Homepage
I don't understand... so, the homepage is evil, but the app is not?
Re: SRWare Iron Homepage
I'm not sure. Why the warning on Portableapps? Also, it's possible Portableapps has made some mods, since users use another link to download. Why the precautions? I'm not making any judgements, just pointing this out. Anyway, WOT gives the SRIron site an excellent rating, so it's kind of confusing.
Re: SRWare Iron Homepage
The warning on PortableApps.com is about the default homepage of SRWare Iron, http://iron-start.com/, not about the download page. I copied the warning, with slightly different wording, to the entry.
The download page is not "evil". Srware.net only has an outdated TLS certificate, which means (with some simplifying) that the browser can't guarantee that it's actually connecting to the right website. The browser is not 100 % sure that a man-in-the-middle attack such as DNS spoofing isn't going on. No reason to panic: it's the same situation as with regular HTTP sites, as HTTP doesn't have endpoint authentication. Most of the time, the website is correct even when there are authentication problems. However, web browsers give these scary warnings when a website can't be authenticated because it might be an important site such as a bank. If the warnings were less scary, clueless users would just add security exceptions when they are, in fact, being attacked.joby_toss wrote:I don't understand... so, the homepage is evil, but the app is not?
Yes, PortableApps.com does "modify" programs. It bundles them with the PortableApps.com Launcher which portablizes them.TP109 wrote:Also, it's possible Portableapps has made some mods, since users use another link to download.
My YouTube channel | Release date of my 13th playlist: August 24, 2020
Re: SRWare Iron Homepage
I meant modify as for the default homepage settings or for eliminating malware. The portableapps.com page does state "ads and fake adware-containing downloads." If the home page is infected, possibly the the app itself could also be infected? Anyway, that statement combined with the certificate warning was suspicious. In any case, adding the warning to the entry is a good precaution even if it there really isn't anything to worry about.SYSTEM wrote: Yes, PortableApps.com does "modify" programs. It bundles them with the PortableApps.com Launcher which portablizes them.
-
JohnTHaller
- Posts: 716
- Joined: Wed Feb 10, 2010 4:44 pm
- Location: New York, NY
- Contact:
Re: SRWare Iron Homepage
Last I checked, the iron-start page routinely showed ads with fake 'download' buttons that are designed just to download rather nasty stuff. I added that note to let users know about it. We also have notes for apps where the local versions or the publisher's own 'portable installer' have particularly tricky bundleware that is either difficult not to install or will install even when you select not to install. Only DVD Styler has fallen afoul of the latter and it was corrected a few versions after it happened. It doesn't affect our packaged versions, of course, but sometimes a user will go and install a local version of a given app after seeing it on our site.
As a general rule, we don't modify app settings except as they affect portability and performance from flash media (though the latter is less likely now that more and more of our users use our apps locally). Homepage settings in an app are usually how the publisher makes money. Many times, we are contractually obligated to leave these unchanged (Firefox, Opera, etc). Other times, we could easily change them for our packaged versions but we leave them as is so the developer continues making money to fund development (Iron, QupZilla, etc).
As a general rule, we don't modify app settings except as they affect portability and performance from flash media (though the latter is less likely now that more and more of our users use our apps locally). Homepage settings in an app are usually how the publisher makes money. Many times, we are contractually obligated to leave these unchanged (Firefox, Opera, etc). Other times, we could easily change them for our packaged versions but we leave them as is so the developer continues making money to fund development (Iron, QupZilla, etc).
PortableApps.com - The open standard for portable software | Support Net Neutrality
Re: SRWare Iron Homepage
Rather scary scenario. Good to know that this stuff doesn't go on unchecked. I downloaded the portableapps.com version of SRWare Iron after becoming suspicious.JohnTHaller wrote:Last I checked, the iron-start page routinely showed ads with fake 'download' buttons that are designed just to download rather nasty stuff....
Re: SRWare Iron Homepage
JohnTHaller wrote:Last I checked, the iron-start page routinely showed ads with fake 'download' buttons that are designed just to download rather nasty stuff.
- The way I see it, with very few exceptions, most one-click file hosters display similar adds right along their downloads nowadays, making a good adblocker a must have.
What's particularly unfortunate in Iron's case is this coupling with the certificate issue, which screams malware from the get go...
Iron's prestige with the vocal majority of the net literati crowd never really amounted to anything -- this episode sure won't help it.