Unauthorized Vivaldi installers – help us find them
Hi folks and Happy New Year!
I've just joined Vivaldi as a developer and came across a curious issue – some websites distributing Vivaldi installers that have a potentially unwanted software. I thought I’d reach out to you all to see how big of an issue this is — and also take this as an opportunity to introduce myself.
This kind of thing does not really happen on Linux and is less common on mac but we do occasionally see it there. For Mac you can check the signature of the app within the .dmg by opening a terminal and running a command like:
codesign -d --verbose=2 Vivaldi.app
Amongst the output you should see Authority=Developer ID Application: Vivaldi Technologies AS (4XF3XNRN6Y)
Oh and congrats to Julien on joining us and your first blog post!
What can be done in theory? If such installers are discovered you'd ask the website owner to take down the installer?
As this is Windows-specific issue, maybe there's some way to tackle this by making Windows installers obsolete (I'm not tech savvy so I'm not sure what I'm talking about) and somehow enforce the initial installation of Vivaldi to be only able to happen through the official website.
I remember Google had a thing with Chrome, when you download it with Internet Explorer, it shows this thing in the picture:
Which gives me the impression that it makes Windows contact the servers directly to download a tiny file (probably in Temp) which then downloads and install the rest of the browser.
If something like this can be done, it could potentially fix the problem… I guess I'll keep my eyes peeled for modified installers of Vivaldi.
On the Mac, in addition to using codesign, you can further double-check the integrity of the app bundle with:
spctl -a -vv Vivaldi.app
Funny fact: …and yesterday I wrote my own installer, since I'm still missing an unattended/silent setup for deploying Vivaldi in an enterprise environment.
DEB packages are fine for our GNU/Linux clients. But when will we see MSI's for Windows (or something like that)?
In the meantime, the best way is to download only on https://vivaldi.com/download/
"Malicious" as in actually so, or just the usual type of nonsense that sites like CNET used to do (I think they discontinued the practice), where they repackage the installer with some "optional" goodies that you have to look really hard to disable? Definitely not good, but it's not as if they were viruses or anything.
Welcome another one from the dark (at least other) side of the force.
how this can fix the problem if any site can still make a button "download vivaldi" which points to their exe file, which installs some malware + downloads and opens real installer from vivaldi.com ? 5 minutes task
dobreprogramy is very popular app download site in Poland, for 2-3 years they started to serve their own "installer", which contains unwanted stuff, but you can still directly download using the grey button on the right.
they have some apps which CAN'T be downloaded with their installer though, don't know why they do that
https://www.vivaldi.ru/downloads and http://vivaldi.findmysoft.com/download/ and http://www.afterdawn.com/software/search/results.cfm?q=vivaldi seems to provide some fake installers
not sure portable installer like http://portableappz.blogspot.fr/2015/01/vivaldi-108338-multilingual-tech-preview.html are really usefull too…
I would not be at all surprised if most users are getting PUPs or malware from the major download sites like CNET, Softpedia, FileHippo, etc., from a Google search. These major download sites are far more likely to be used than some random link on a YouTube video or FaceBook page.
I no longer trust these sites, and avoid them as far as possible. The sad truth is that they need to distribute PUPs to make money and stay viable. Some PUPs are malicious.
People should download Vivaldi from Vivaldi.com
not a beer drinker
You lost me there. But welcome all the same.
I use a portable installer that downloads from Vivaldi servers to create it's own portable version. Would that count? There is nothing maliciously installed with it
Please encourage the use of Virus Total browser extension. This will allow users to scan files before downloading. Hashes for bad files can then be shared safely https://www.virustotal.com/en/documentation/browser-extensions/
Not sure if authorized or not, but a famous german site offers an installer with additional software inside (antivirus). You need to choose "manuell installation" to get the standalone installer: http://www.chip.de/downloads/Vivaldi-32-Bit_75942335.html
OK, that can happen. I just now tried really hard to find on the last pages of Google results a fishy download for Chrome. Couldn't find one.
I also went to page 6 of results for "download Vivaldi" found a fishy looking Brazilian website with Vivaldi 1.0.x so I downloaded it and checked the signature, it was OK.
It's really hard to stop someone from doing something harmful, especially on the internet. People should just be educated to download software from the official website, especially if the software is completely free, that's the best way to get the latest version.
I just tried the installer, it feel like the one they use on CNET for their download, the theme, overall layout appears sort of the same.
Do portable versions count? http://portableappz.blogspot.bg/2015/01/vivaldi-108338-multilingual-tech-preview.html This one has their own .exe files and upon download opens a popup window of Alibaba
This one offers it in .torrents and whatnot http://xetbox.com/programs/internet/browsers/2722-vivald
http://www.afterdawn.com/software/network/browsers/vivaldi-for-windows-64-bit.cfm This one straight up says "may include 3rd party offers"