I thought I was being smart. By not buying through AVADirect I wasn’t going to be using an insecure site to purchase my new computer.
For the curious I ended purchasing through eBay (A rating) and Newegg (A rating) a new Ryzen (very nice chip!) based machine that I assembled myself. Computer is working mostly ok, but has some stability issues. A Bios update comes out on the MSI website promising some stability fixes so I decide to apply it.
The page that links to the download is HTTPS, but the actual download itself is not.
I flash the BIOS and now appear to have a brick.
Given the poor security and now wanting a motherboard with a more reliable BIOS (currently I need to send the board back at my expense for an RMA) I looked at other Micro ATX motherboards starting with a Gigabyte which has even less pages using any HTTPS and the ones that do are even worse:
Unfortunately a survey of motherboard vendors indicates MSI failing with Fs might put them in second place. Most just have everything in the clear, including passwords. ASUS clearly leads the pack, but no one protects the actual firmware/drivers you download from them.
|Main Website||Support Site||RMA Process||Forum||Download Site||Actual Download|
|AsRock||Plain text||Plain text||Plain Text||Plain Text|
|Gigabyte (login site is F)||Plain text||Plain Text||Plain Text||Plain text||Plain Text||Plain Text|
|EVGA||Plain text default/A-||Plain text||Plain text||A||Plain Text||Plain Text|
|ASUS||A-||A-||B||Plain text default/A||A-||Plain Text|
|BIOSTAR||Plain text||Plain text||Plain text||n/a?||Plain Text||Plain Text|
A quick glance indicates that vendors that make full systems use more security (ASUS and MSI being examples of system builders).
We rely on the security of these vendors for most self-built PCs. We should demand HTTPS by default across the board. It’s 2017 and a BIOS file is 8MB, cost hasn’t been a factor for years.