[German]Yesterday I reported, that the site heidoc.net and the 'Windows und Office ISO Download Tool' is no longer available (see my blog post Microsoft ends Techbench program; axes Windows ISO Download Tool & heidoc.net is dead?). But that was a false alarm – the site and the tool is back to life. In this blog post I will uncover a few details what has happens.
Sometimes things are different from what the first view suggests – and sometimes a third and fourth detailed view is needed.
I'm using a plugin within my blog to detect broken links within the blog posts. Yesterday I found a long list of broken links, and many are pointing to heidoc.net. After I inspected the links reported, I found out, that not only the whole Joomla contend was gone. Also heidoc.net pointed to a cambodian auction platform.
A short check of "Windows and Office ISO Downloader" gave me the following error message.
Then things went even worser: During investigating the case, I found posts in German forums, that the latest Downloads of the tool was quoted from several third party antivirus scanner als "trojan infected". And a few hours later, Google Chrome blocked heidoc.net with a warning, that the certificate was invalid.
I was aware, that the owner of heidoc.net, Jan Krohn, has moved from Germany to Cambodia. So my conclusion was: Either Jan has given up his activities in ISO downloader and dedicated his site to another user – or even bad things happens (a site was infected or hijacked).
Jan Krohn left a comment to explain the incident
Later on, I received reports, that heidoc.net was back to life and also the "Windows and Office ISO Downloader" works again. Then Jan Krohn (the owner of heidoc.net) left a Comment in my German blog, explaining the issue. Here is a free translated version
Sorry, my fault… during installing my SSL certificates on my two domains I reversed the certificates. … Version 3.20 is coming soon, including integrated download lists, in case heidoc.net is unavailable.
Here I will thank Jan for his insight. And sorry to my blog readers for the false alarm. It was also partially my fault, I have had information that I could verify (the not reachable heidoc.net site, the blocked certificate and the broken Download tool). And I know that Jan has moved to Cambodia and that Microsoft's Techbench program site was redirected to a Windows 10 download site. My fault: I mixed these information to a inaccurate image.
Yes, the tool and the site wasn't availabe. And No, Jan Krohn did not intend to axes the tool and his site.
Wait, there is a bit more to tell …
Ok, Jan explained some thing, and my assumptions are false at the end of the day. Job done? After I left a comment under a MajorGeeks YouTube-video, I received a "our post smells like spam. The tool works just fine. I just tested and downloaded." – ok, I understand their position – but it's a bit too simple, isn't it. So I decided to uncover a few additional things (I haven't read that in many "nice" US blogs introducing this tool).
What's happended (probably)
- Jan Krohn runs two sites with separate domains, heidoc.net and an auction site in Pnom Penh.
- He switched the sites to https and was in need to associate a SSL certificate.
- From what I've seen during the day, first he reversed the (MX) records, so heidoc.net pointed for hours with a valid certificate to the auction site. Of course, all urls pointing to his heidoc.net Joomla sites was broken (that was what a plugin reports within my blog).
- Then he tried to fix things, and for some times the SSL certificates was reversed, so the site was blocked in Google Chrome (due to certificate errors).
- The malfunction of the 'Windows und Office ISO Download Tool' was a "following error". The tool needs access to a list of Techbench download links, hostet on heidoc.net server. If heidoc.net is down, the ISO downloader stalls.
Although I would quote the ISO downloader as "helpful", this case shows "the devil is in the detail". So here are a few additional thoughts. A few days ago I read a Google announcement, that Google Chrome will mark http sites as unsecure – forcing users to upgrade their web servers to https support. The incident shown above is a nice example, what could be happen, if things are required, without weighting the details – but that's only a side note.
Implications for ISO-Downloaders
Jan Krohn announced within his comment a Version 3.20 of his tool that comes with the Techbench Link lists. So the tool doesn't depend on a running heidoc.net server. But lets have a closer look at this decision from a programmers view.
- The current implementation download the Techbench Link lists to the Microsoft Download-Server from heidoc.net. This gives Jan the possibility to amend the list on his server (single source).
- But, if somebody is able to hack the Joomla server and alter the list, it would be possible to force the ISO downloader to download fake ISO images with malware – it's a security risk.
An let me note: This risk is available, although the heidoc.net server communication is secured with https! If the server is compromised, https doesn't helps.
Now Jan Krohn plans to release Version 3.20 of his 'Windows and Office ISO Download Tool' that ships the Techbench-Download-Link list. The tool doesn't need the heidoc.net server anymore. But: If something is changing within the download link list, a new version of the tool is mandatory. A possible solution: Jan implements a dynamic update of the local list from his server.
I mentioned several reports in German forums, that the latest download of the ISO downloader was flagged from third party AV tools as "Trojan infected". I never have had such a version, so I guess, it was also false alarms. So I can's say more. But it shows, how complex things can be.
I've mentioned in my blog post Microsoft ends Techbench program; axes Windows ISO Download Tool & heidoc.net is dead? another solution. Experienced users should vitit the site TechBench dump at GitHub. This site delivers the direct download links to Microsoft's download servers (so no tool is necessary). But I like to give here also a clear warning: Github communication is secured by https, but users need to trust that Github isn't compromised. If the Github download link list is compromised, it's possible to point to fake ISO downloads. And if the Github server stalls, downloads are not possible.
Just a tip: To avoid compromised download, you can check the download links before initiating a download.
Just point with the cursor to the download link shown within the Github site, allows you to verify via the browser's status bar that the link points to a Microsoft download server.
If Jan Krohn reads this, I would recommend to implement a similar mechanism within his ISO-Downloader Version 3.20.
Well, I wrote a lot about this case – and sorry for my wrong assumption in my previous post. But: This case can be an example to have a closer look at things and don't trust such tools.
Cookies helps to fund this blog: Cookie settings