Microsoft finally switches Windows cumulative update downloads from HTTP to HTTPS

Microsoft’s Update Catalog, commonly known as the Microsoft Patch Library, has been connected through a clear text protocol for a long time. If a user downloads an independent update package, it will be transmitted in cleartext. It stands to reason that as a security policy, Microsoft should have switched it to encrypted secure connections, because it is easy to be hijacked and replaced by malware through clear text transmission.
Until now, Microsoft has finally updated its security policy. Now, when downloading an independent update package through Microsoft’s Update Catalog website, an encrypted connection instead of a clear text connection will be used by default. A reasonable guess is that Microsoft’s reluctance to switch to encrypted connections may be due to compatibility issues in some places, not the patch library itself. Because some browsers limit access to HTTP sites and resources.

Example:

Old Link:

http://download.windowsupdate.com/d/msdownload/update/software/updt/2022/03/windows10.0-kb5011563-arm64_b17fbb4bf86fcf66b5971d076ffdb7d570002c4e.msu

New Link: https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/updt/2022/03/windows10.0-kb5011563-arm64_b17fbb4bf86fcf66b5971d076ffdb7d570002c4e.msu

Just replace http:// with https://catalog.s. and the download link should work again.

There is no need to say more about the security of switching to encrypted links. We believe that the more important thing for Microsoft to switch this time may be to allow users to download normally. Because according to the Chromium browser security policy, HTTP files provided by HTTPS websites cannot be downloaded, which will trigger the security policy to be blocked.

Via: ghacks