Hacker News new | past | comments | ask | show | jobs | submit login

Broken certs:

  curl: (60) SSL: no alternative certificate subject name matches target host name 'assets.oldversion.s3.amazonaws.com'
That aside, an obvious problem with binary download sites like this is that you don't know if what you're getting is malicious. Hosting arbitrary binaries isn't cheap, so the economics of sites like this almost encourages shady behavior, not to mention the possibility of malicious users.

Edit: I realize my broken certs problem must be caused by an extension (probably HTTPS Everywhere) here. Anyway, probably don't want to download binaries over unencrypted channels in 2020...




I'm the founder of the site. We are ad-supported, ideally would like to be community-supported. We take the responsibility of hosting these binaries seriously, but sometimes there are bad actors in terms of users which we work to address before the binaries become available for public download.

Now looking into a potential API that could at least link with virustotal or a site like that to give users more information about each binary. Any ideas/tech solutions would be welcome.

Thanks - what an honor it is to see this passion project from 20 years ago still relevant (and would love to have it be more relevant to various communities).


OldVersion.com has been around for a long time, I think if they were modifying binaries or embedding malware, something would have come out by now. The economics of a site like this also encourage making yourself a legitimate source.

That isn't to say it's 100% safe, and this type of thing has certainly happened in the past, but until something comes out I think they're relatively trustworthy. I wish all software vendors made old versions officially available, but they frequently don't.


Sorry for nitpicking but it doesn't matter if a host is reliable or not, since they could get hacked (unknowingly) or your download binary could get swapped out on the fly via deep packet inspection.


For what my opinion is worth, I vouch for that site. I see on my Firefox bookmarks Library that I have "Added" that in "Mon 26/12/2005, 14:36". This is one of my favourite sites when I am looking for a piece of software that "simply works". And I usually don't care how old is it, as long as it runs on my Win8.1Pro, I'm OK. Typically the older - the better.


Been using it to download uTorrent 1.7.2 for what seems like at least a decade.


Try qBittorrent. I have been very happy with it as a uTorrent replacement for the past few years.


Wonder how many remote root exploits your system is open to.

I'd bet real money it ain't 0.


I’d you’re downloading old versions of things then you should also be aware of any known bugs or exploits within it anyway. This isn’t a tool to be used lightly nor blindly.


This happens for s3 buckets with dots in the names as wildcard certificates (*.s3.amazonaws.com) only cover one 'level'.

You can manually work around it via using the alternative URL to access a bucket with a dot in the name:

  https://s3.amazonaws.com/assets.oldversion/<filepath>


You could verify the binary by submitting it to virustotal.com


Are SourceForge's adware/crapware installers flagged by AV software?


Chances are they aren't since it has been years now that the site was sold to someone else who removed all the adware/crapware.


I should have used the past sense. Were they flagged by AV software (for which VT is basically an aggregator) when they bundled adware/crapware?


Possibly. I just tried the official installer for JDownloader (which i know it includes adware) and it was flagged by several engines:

https://www.virustotal.com/gui/file/6684894d334c9fd629c6586c...

So chances are it'd also flag SourceForge's stuff since it wasn't purpose-built malware but some sort of generic wrapper.


Slightly related, but I recently had to deal with an old Windows XP machine and with everything moving to HTTPS you're pretty much SOL trying to get _anything_ on the web.


If you use an older-style webhost with cheap or free bandwidth it can be a lot more afforable than one might think




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: