All links I can find result in a plain-HTTP download, which can be undetectably tampered with in transit.
Even changing the plain HTTP Adobe - Adobe Reader download - All versions to HTTPS Adobe - Adobe Reader download - All versions still results in a plain-HTTP download.
The @Adobe_Reader twitter account suggested secure FTP to ftp.adobe.com, but SFTP doesn't provide source-server authentication (nor does ftp.adobe.com even seem to answering SFTP).
Publishing the official secure checksums of the installers via a secure authenticated channel would also be good, but I couldn't find those anywhere, either. A Google search for the actual SHA1 of the executable I received (54fd10c7d36895469f6bfb1cd01ec04a633f8c5d for 'AdobeReaderInstaller_11_en_ltrosxd_aaa_aih.dmg') had no hits, suggesting official checksums haven't been prominently announced.
Adobe's auto-update mechanisms must be secured by crypto against tampering in transit, right? So why isn't the initial download?
Any pointers appreciated.
- Gordon