Downloading Update looks very sketchy

Report · Sep 23, 2018

I had to come through the forums to ensure that what I was doing was actually from the real Adobe Flash, and not some spoof to try and gain access. I believe the Adobe team should be doing more to make sure the path to download updates appears as legitimate as it is.

For example using the "get3" site appears fraudulent to anyone paying attention to the URL. Additionally, the logo used across the update flow is blurry, thus appearing fraudulent.

PS, sending simple feedback like this is incredibly difficult - I had to jump through 4 hoops to get here and this does not feel like an appropriate place to be posting constructive feedback. I'd much rather have had an opportunity to send a private message, but apparently that's not "correct" for this product.

Report · Oct 17, 2018

Thanks for taking the time to share your feedback. Adobe doesn't provide support for the products that we provide free of charge. These user-to-user forums are provided as a service to the community. Paid products confer support and a more direct route for help and feedback.

It's great that you're taking care to validate that the software you're downloading and installing is coming from a legitimate source.

To that end, I want to do you the service of making sure that you're using the meaningful cryptographic tools that exist to confer trust, instead of just trying to puzzle it out based on what looks legit. The cryptography stuff is intimidating and there's a bit of a learning curve, but it's not that bad. It's so easy to forge things digitally, that anything less than a cryptographic guarantee is pretty meaningless.

The big thing to understand is that a cryptographic signature typically guarantees integrity and authenticity -- the resource came from the issuer that you expect, and it hasn't been modified in any way since they signed it. Unless that entity has lost control of their signing keys (which is a *huge* deal -- code signing keys are treated with great care, and can be revoked if they're ever lost), you know that what you're getting is legit. Everything else is guesswork and superstition.

There are two big kinds of certificates that you'll want to care about:

SSL certificates -- which tell you who owns a server, and that you're talking to the entity that you think you're talking to
- Adobe employs Extended Validation (EV) certificates, which demonstrate that the third-party issuer actually checked to make sure that they're legitimate giving certificate to Adobe, and not someone pretending to be us.
  
  More details:
  Extended Validation Certificate - Wikipedia
  How To Verify A Website's Certificate - YouTube
Code Signing Certificates - They tell you that a binary was published by the author, and that the bits have not been modified since they were signed.
- Adobe signs the binaries that it ships. If an installer doesn't say that it's from Adobe Systems Incorporated, or "Adobe" (we just shortened our legal name), it's probably not.
  
  More Details:
  Code signing - Wikipedia
  Cryptography Tools | Microsoft Docs
  SignTool | Microsoft Docs
  https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Proce...

More importantly, that canonical hostname "get3" doesn't tell you anything. The domain name -- the "adobe.com" part, matters a lot. There's a good explanation here, around 01:43. This seems like a really solid intro, if you really want to understand how the domain name system works. The long and short of it is that if it ends in "adobe.com", you're requesting a machine that we own (and SSL [aka. TLS] cryptographically guarantees that the machine you've asked to talk via the DNS system is actually the machine you're talking to).

Understanding DNS Part 1 - YouTube

Hope that helps!

Adobe Community

Downloading Update looks very sketchy