(imported topic written by phil_imray91)
Hi
Is HTTPS supported by the download action?
If so, are there any instructions on the steps required to load the SSL cert on the BES server?
And finally, how would that work (or not) with relays?
TIA,
Phil
(imported comment written by BenKus)
Shortest answer is no… but the downloads from the BigFix content come with a sha1 check after the download to make sure that no one change the file with a man-in-the-middle attack.
Ben
(imported comment written by mmcgrew91)
But where does the SHA1 hash come from? Is it sent to the server over HTTP and then that could also be spoofed? Just playing devil’s advocate : )
(imported comment written by BenKus)
Good question… we have this covered…
We digitally sign all actions, Fixlets, baselines, properties, etc. and so if any info is changed (including the sha1), then their digital signature will be invalid. So the sha1 is safe and thus you can be sure that the download that you get is the expected download (whether or not you are using HTTPS). 
Ben
(imported comment written by MaxenceWarzecha)
This post is old but I think it’s still relevant with current (9.1) version.
I still don’t understand how it works if sha1 is transferred over http.
Could you be more specific? It would be very very appreciate
(imported comment written by jgstew)
the “prefetch” and “download” commands will download files from the internet over HTTPS or HTTP.
The SHA1 and size info is used to verify that the file downloaded from the relay is the real file. The code the client gets to actually download the file is signed so it can’t be spoofed.
If you have the known SHA1 and Size of a file, and you download it over HTTP, even if there is a man-in-the-middle it is nearly impossible for them to give you a different file than the one you are requesting that has the same size & sha1.