> You can't just call it "malvertising" when it's just not what you wanted...
It's an advertisement which seeks to get users to download software from an unofficial source. The site does not provide links to the official sources.
The advertiser has paid money to get users to go to their site instead of the official source. The advertiser seeks to misdirect users into visiting their site (which is loaded with ads) instead of the official one. I consider this misdirection to be malicious.
Are they official mirrors? Linked from the official site? If not, I'm not trusting them. Incentives are not aligned properly. Also notice, that the more ads are on such a site, the less trustworthy it is. Do you think CNET / download.com are good places to get your software from?
CNET and download used to be, sure. Maybe not so much anymore. I'm just saying official or not, if the checksum matches - it's not malicious. End of story.
You're correct though in that just randomly picking mirrors is a bad idea. I seriously doubt your average person is utilizing checksums.
> I seriously doubt your average person is utilizing checksums.
Sure, if you're utilizing checksums the way they should be then go ahead. But honestly, even I don't care that much - my ad-heuristic was sufficient so far :). I should probably start using them. I guess it's like with all things crypto - the UX sucks so bad that most people don't bother.
Checksums are particularly handy when the original source is inaccessible. In that sort of situation I can google the file name and verify authenticity easily.
>I'm just saying official or not, if the checksum matches - it's not malicious. End of story.
Well...it would take a particularly craft individual and far too much time, but spoofing a malicious MD5 checksum should be considered plausible. The chances of it being malicious, however, are drastically reduced to such a large degree as that it is safe to consider it negligible. (Note: I only make this claim about MD5 checksums, not SHA-1 or SHA-2. I do not consider MD5 secure in any manner and my trust of SHA-1/SHA-2 isn't exactly high either.)
I provide SHA-1 and MD5 checksums of any software I distribute - if only because I think it is the proper thing to do. Even if most people don't bother checking them (let alone know how to check them)
It's an advertisement which seeks to get users to download software from an unofficial source. The site does not provide links to the official sources.
The advertiser has paid money to get users to go to their site instead of the official source. The advertiser seeks to misdirect users into visiting their site (which is loaded with ads) instead of the official one. I consider this misdirection to be malicious.