I’ve noticed:

• ST3 checks for updates over HTTPS
• ST3 downloads updates over HTTP

Questions:

1. Why does ST3 download updates over HTTP if it already checks for them over HTTPS?
2. Does ST3 use a pinned certificate when verifying the updated binary? If so, where is this certificate located within the app bundle? If not, why on earth not and when will this be fixed?

Updates are signed with a private key, and Sublime Text will reject updates with an invalid signature. The public key used for verification is embedded within the existing binary.

That’s good to hear, thanks!

@jps thanks for the detailed response but it does not answer the question

could you explain why the download itself is done over HTTP ?

+1 yeah that would be great

If updates are rejected when they fail the signing check, then there isn’t actually an advantage to HTTP other than one of principle (i.e. the view that all internet traffic should be encrypted). Update data can be compromised, but the result is simply a failed update and (presumably) a retry. The data which comprises a Sublime update is also not sensitive in any way – anyone can download it! – so it does not need to be protected.

Basically, there’s no advantage to HTTPS in this case because of the signature check, and it is likely that sticking with plain HTTP simplifies the infrastructural questions associated with hosting.