Any software download should use https.
Using http you put users at risk installing malwares.
Well it *is* using https: (and not http:) as you also said in the report header. Dunno what unsecure protocol you're talking about.
The link on the secure page https://www.libreoffice.org/download/libreoffice-fresh/ for "Download Version 5.1.4" use the unsecure HTTP protocol:
It then redirect to the secure page https://donate.libreoffice.org/fr/dl/win-x86/5.1.4/fr/LibreOffice_5.1.4_Win_x86.msi
And launch download from the **insecure** HTTP link http://ftp.free.fr/mirrors/documentfoundation.org/libreoffice/stable/5.1.4/win/x86/LibreOffice_5.1.4_Win_x86.msi (no redirect to https this time!)
So the final download is NOT using https.
(In reply to tdelmas from comment #2)
> It then redirect to the secure page
Well, atleast it's redirecting to a secure page. Which is a good thing.
> So the final download is NOT using https.
I see. But it's not a bug, as the link is working normally. You might wanna set it as enhancement.
This download site is secure: https://download.documentfoundation.org/libreoffice/ , but notice that a lot of ftp mirrors which distribute LO (including the ones on universities) across the world also aren't. Wanna make them all secure ?!
(In reply to MM from comment #3)
> I see. But it's not a bug, as the link is working normally. You might wanna
> set it as enhancement.
You can call that an enhancement. I call the current situation a security hole. A MitM can use that to install malware. Some rogue tor node did it, it's not science fiction.
Using only https mirrors is one solution. Another one could be a small downloader, downloaded from the https official website, that download from mirrors/torrent and check the checksum before install.
Since this is related to the website, and not LibreOffice itself, could you open a ticket at https://redmine.documentfoundation.org/ ?
(In reply to Aron Budea from comment #5)
> Since this is related to the website, and not LibreOffice itself, could you
> open a ticket at https://redmine.documentfoundation.org/ ?
Sure, no problem.
The ticket: https://redmine.documentfoundation.org/issues/1987
Thanks! Closing this, then.
For future reference: https://wiki.documentfoundation.org/QA/BugReport#Not_all_bugs_go_to_Bugzilla