Is Etrecheck safe to use and is this safe place to download?

Discussion in 'Mac Basics and Help' started by Ramgrim, Feb 23, 2017.

Tags:
  1. Ramgrim macrumors newbie

    Joined:
    Feb 23, 2017
    #1
    Hello!

    I wanted to check my system and heard about EtreCheck.

    1) Is it safe app to use?

    2) Is this safe place to download it from?

    [​IMG]
     
  2. Jack_Gran macrumors newbie

    Joined:
    Feb 24, 2017
    #3
    Excuse me, chscag!


    I'd like to butt in to this thread and specify something as I am also in need of EtreCheck like app.


    Is there any difference between
    http://etrecheck.com/
    and
    https://etrecheck.com/
    ?


    It is same site and there won't be any security issues if using the http one?
     
  3. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #4
    It is the same site. HTTPS is more secure, as the connection will be encrypted between your computer and the server.
     
  4. Jack_Gran, Feb 24, 2017
    Last edited: Feb 24, 2017

    Jack_Gran macrumors newbie

    Joined:
    Feb 24, 2017
    #5
    Thank you for reply!

    Out of curiosity, what could happen if one used http one in etrecheck case? Could outside party somehow infect the downloaded app?
    Or would downloading etrecheck from http be as safe as from https as I am not entering any data myself?
     
  5. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #6
    A connection can be intercepted somewhere between your computer and the destination server, e.g. by the network provider, the DNS provider, the Internet-service provider and so forth. It is thus possible for someone to intercept your connection and redirect you to an infected software download. TLS (HTTPS) mitigates this by encrypting the connection between your computer and the server.

    Note that macOS will refuse to open unsigned software by default, regardless whether it came from an HTTP or HTTPS website. This means that an attacker must also obtain a valid developer certificate from Apple (or steal one from another developer). You can always check the signature of a downloaded program with this Terminal command, and then see whether the name is legit.
    Code:
    spctl --assess -vv <application>

    For example, using it on a downloaded copy of EtreCheck:
    Code:
    $ spctl --assess -vv ~/Downloads/EtreCheck.app
    /Users/<username>/Downloads/EtreCheck.app: accepted
    source=Developer ID
    origin=Developer ID Application: Etresoft, Inc. (U87NE528LC)
     
  6. Jack_Gran macrumors newbie

    Joined:
    Feb 24, 2017
    #7
    Thank you for explanation!

    I'd only ask then would it be possible for someone to make identical looking (but malicious) site with same name, only one has https and other http?

    For example (using current example) https://etrecheck.com/ and http://etrecheck.com/
    One being official and other scam site? Or would this be impossible?
     
  7. RedTomato macrumors 68040

    RedTomato

    Joined:
    Mar 4, 2005
    Location:
    .. London ..
    #8
    Yes, but it's very unlikely.

    I really wouldn't worry about it.

    The developer of EtreCheck would notice it very quickly and take action. Pretty much the same goes for most of the other websites you visit on a daily basis.
     
  8. Jack_Gran macrumors newbie

    Joined:
    Feb 24, 2017
    #9
    Also, if someone even did such scam site, went as far as to somehow get valid developer certificate from Apple just to infect someone's Mac, the fake app would therefore not function as real one anyways?
    For example if malicious app was masked as Etrecheck, no one would bother make it display what look like Etrecheck results after its scan? At least not good enough to fool anyone when its posted in Mac forums?

    (Just trying to figure out how far can scamming go. :D)
     
  9. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #10
    That’s a bit more difficult to answer. A domain name is ultimately just a name that points to an IP address of another computer (the server). etrecheck.com points to 69.163.152.207. http:// and https:// are similarly just syntax for the port numbers to which the connection is made, 80 and 443 respectively. Domain names are maintained by DNS providers. As long as the DNS provider you are using correctly points etrecheck.com to 69.163.152.207, then an attacker could not claim either the HTTP or HTTPS website for themselves.

    However, given what I said above, an attacker can intercept your connection and pretend to be etrecheck.com, regardless of port number. They could theoretically even act as a TLS server and still give you a valid HTTPS connection, but this is mitigated by separate mechanisms. For those I refer you to this excellent video:
    .

    Usually something like this is discovered quickly. But it is certainly possible that an attacker infects a working copy of the program. This happened with Transmission last year. The application worked normally, but it also installed ransomware in the background. It was discovered within hours though.
     
  10. Jack_Gran macrumors newbie

    Joined:
    Feb 24, 2017
    #11
    Thank you for the insight!

    In short, known apps like Etrecheck can be infected, but the chance is rather low and there isn't much need to worry about things I can't change?

    And in small chance I do get working app that still installs ransomware or some poop, Malwarebytes should take care of it?
     

Share This Page