[German]After years, Microsoft decided to change something. As of April 1, 2022 (not an April Fool's joke), Microsoft seems to have finally adjusted its download offer for updates so that they are consistently offered via the https protocol instead of the unencrypted http protocol. This should avoid that browsers refuse to download an update via http. Here's a brief overview of this topic.
Advertising
The http update download chaos
For years Google & Co. have been propagating that communication with websites should please be done via the https protocol, so that the integrity of the communication is guaranteed via encryption and the servers are accounted for via SSL certificates. At Microsoft, however, it has been the case for many years that downloads of update packages had to be retrieved – or at least triggered for download – via the unencrypted http protocol. I'll link to this German discussion within my blog (I've translated the text):
Blog reader Bolko: Microsoft uses HTTP instead of HTTPS for the update catalog and Chromum complains and refuses.
With Firefox, however, you can click "Continue with HTTP".Microsoft should improve and switch to HTTPS downloads.
Günter Born: This has already been criticized by Stefan Kanthak years ago – Microsoft knows the problem. There are sometimes wild redirections – but not always.
And in the discussion area of my German blog there was the memorable discussion on September 29, 2021 (which I've translated):
Anonymous: the new MS Edge (v94) now blocks MSU downloads from *ttps://www.catalog.update.microsoft.com/
because the download links are "http" only *LOL*.
G. Born: So Microsoft finally got it. Stefan Kanthak has been hammering me for years with the http links I copy out of support articles for updates.
Conclusion: It would have been time for Microsoft to switch the download of its update packages to the https protocol throughout to increase consistency and security.
The update packages are provided with a SHA key and a digital signature, and thus protected against manipulation. In the meantime, however, most browsers have issues with http addresses and the above comments show that. On Twitter, the following two tweets has the same tenor.
Advertising
Something has changed
Saturday morning (4/2/2022) I came across this article and following tweet from my colleagues at deskmodder.de. A blog reader has also pointed out this in a comment to my old German blog post Probleme mit dem Microsoft Update Catalog (thanks for that).
About the facts: They are quite simple – since April 1, 2022, all update downloads from the update servers and from the Microsoft Update Catalog should be received via the https protocol. Downloads from the Microsoft Update Catalog will then have URLs with the scheme:
*https://catalog.s.download.windowsupdate.com/c/msdownload/update
instead of the old nomenclature:
*http://download.windowsupdate.com/d/msdownload/update/
So not only has the https protocol been enforced, but the download is also initiated from a subdomain catalog.s, where the s in the URL probably stands for secure. For the downloads from the Microsoft Update Catalog nothing changes – only direct download links, which refer in the Internet to the Microsoft servers, must be probably adapted – or should be provided by Microsoft with a Redirect. The download problems with various browsers due to the http protocol problem should also be solved. You can leave a feedback if there are still problems or if I missed something in the above excerpt.
