Sandy, Thanks for your help. I found the checksum on the following site: http://www.sophos.com/products/free-tools/free-mac-anti-virus/tech-specs.html Surprisingly, it still shows "21c3c6f2d93d0843238b9575792e06ef" as the correct checksum. Regards, Codex

The FAQ refers you to the Tech specs page (Make a note of this checksum and compare it with the checksum provided on the tech specs page) which indeed lists the "old" MD5  whereas How to check that your download is genuine – using a checksum from the Mac tools help indicates the Sophos downloads webpage as the authoritative source (Make a note of this checksum and compare it with the checksum provided in the file on the Sophos downloads webpage).

 

To avoid (future) confusion either the two should be kept in sync or the Tech specs should refer to the file in the on the downloads page. BTW (it has already been mentioned): Neither might satisfy the truly paranoid as both fail over a https connection.

 

Christian

I have addressed the issue over the discrepancy with the checksum, it will be rectified shortly.

 

I am unable to finds any reference to issues with viewing checksum over https (if that is what you mean).

 

If someone can point me in the right direction I will investigate.

 

Thanks a lot

Sandy.

I am unable to finds any reference to issues with viewing checksum over https (if that is what you mean).

Only two posts (now three) are found for md5 https and the one not from me is from the thread Protection against MiTM attacks?. jstash says in his second post: An MD5 published on an HTTP site (which could also be hijacked) is only sufficient for checking if a download is intact. To verify that it was actually created by Sophos, either a signature file (e.g. validating a PGP/GPG signature file) or being able to download the MD5 over HTTPS (w/ cert validation)  [bold print mine] would be needed.

 

Christian