Ben Kennish's Web Site

(www.bennish.net)

Trusted Linker Download Redirection

What's this TLDR thing?

Most people know about "https" and that it improves security on the web. However, it's an extra stress for web servers and so, more often than not, files you download, even programs/apps that will run on your computer, are not delivered using https. This is a problem because you no longer have the protection that https provides. TLDR provides a way that an https site can link to a non-https download and tell your web browser more info about the file so that the browser can verify that the file hasn't been modified.

The method of checking the integrity of downloads is nothing new. But when I come across instructions on how to do perform the checks manually, such as those on Apache.org, I can't help but think that most people will think "Too long; didn't read" (TL;DR)

How does TLDR work? (technical explanation)

TLDR is a proposed extension to HTTP. All of the download links below redirect (e.g. using a "302 Found" HTTP response) to a non-https URL where the file can be found and downloaded. Special TLDR headers are sent within the response which contain one or more checksums of the file contents (e.g. using SHA1). With support from the web browser, the files can have their checksums calculated once downloaded to ensure that the file data is as expected.

If you want to find out more, please read my Internet Draft submitted to the Internet Engineering Task Force (IETF).

Downloading files using TLDR

1. Install Firefox Add-On

To try out TLDR, download and install version 0.8.12 of my prototype TLDR Firefox Add-on (open the tldr.xpi file with Mozilla Firefox). NB: the Add-on does not currently work with Firefox for Android.

2. Download files for testing

These download links all use TLDR so you can use them to test out the Firefox Add-On...

• Firefox 37.0.2.dmg - Mozilla Firefox browser for Mac OS X v37.0.2 (en-GB)
• httpd-2.2.29.tar.gz - The Apache Web Server source code
• openssl-1.0.2.tar.gz - OpenSSL (Crytography and SSL/TLS Toolkit) source code with incorrect checksum
• xchat-2.8.9.exe - IRC chat client for Windows

So what now?

For TLDR to be truly useful, web browsers should support it natively and websites should implement it for their download links.

If you run a website that provides links to downloads, please consider implementing TLDR. If you need help with this, take a look at the GitHub repo containing the PHP source code of this very web page.

If you can write add-ons for web browsers, why not write one that will add TLDR support to your favourite web browser?

Finally, why not write to the maker of your favourite web browser asking them to include TLDR support natively?

Thanks for reading,

Ben

© Ben Kennish, 2024