About NodeJs X64 Windows Release

[ridvann]

Hi,

AirServer setup files in the X64 Windows Package???

I do not understand ... Is this a mistake?

Thanks

Best Regards

[dnakamura]

Installer looks fine to me. What version are you installing / where did you get the installer?

[ridvann]

Hi,

I installed the latest version. I downloaded the package Nodejs.org/download . I sent the following photos.

I installed the x86 package. Such a thing did not happen in this package. So I thought it would be a mistake.

Thanks

[misterdjules]

@ridvann Thank you for reporting this issue. It is similar to what other users have mentioned here: https://groups.google.com/forum/#!topic/nodejs/rTmyqw17hHg.

I'm not able to reproduce the problem. Do you get the same AirServer installer every time you download a new node x64 msi installer?

[ridvann]

@misterdjules thanks

I found the problem. I think such a situation is causing a proxy server. When I download my home computer, I download the correct package.

That is to say.

The photo above in:

1. Left Properties: I downloaded the package from home
2. Center Properties: Wrong downloaded package
3. Right Properties: AirServer Orijinal package

There are three packages similar to one aspect of this. This file sizes...

The proxy server does not know how such a process.

An interesting case :)

If necessary, files can be accessed from the following link.

https://www.dropbox.com/sh/jjnykxqomheqzis/AAAY44_WAWZB9GMtAo9keCl8a?dl=0

Thanks

Best regards

[misterdjules]

@ridvann When downloading node's x64 msi installer through that proxy, do you get the air server installer instead every time? Would you mind sharing some information about this proxy so that we can also reproduce this problem on our side?

Thank you!

[ridvann]

@misterdjules Yes, when I connect to the Internet with proxy servers, downloading the airserv package at a time. When I went to the office tomorrow, I can share the proxy server information.

Thanks

[ridvann]

@misterdjules I checked the firewall system in the office. I reach the following information.
We use Linux-based firewall. And content filtering proxy server as we use Dansguadian and Squid. These versions do not know. I could not get the information because it comes in the box version.

I wrote a little late. Sorry: |

Thanks

[n3m6]

I just downloaded the x64 msi installer from nodejs.org and this happened to me. This is extremely fishy! What is going on?

Edit: Would gladly provide any details necessary.

Edit2: Just downloaded the 0.12.3 x64 msi installer instead. It works fine. The problem seems to occur only with the 0.12.4 x64 msi installer.

[JohnMcLear]

Time for SHA signatures.

[JohnMcLear]

@n3m6 @ridvann it looks like you are both on compromised networks or compromised machines.

[jameshartig]

I assume if you download it with https it works fine?
https://nodejs.org/dist/v0.12.4/x64/node-v0.12.4-x64.msi

Is there a reason that the nodejs.org site doesn't use https for downloads when you're on https://nodejs.org?

Edit: Also, can you run nslookup nodejs.org from the command prompt so we know which server it is hitting when you download it?

[n3m6]

@JohnMcLear this is a fresh install of windows on a new machine

@fastest963 I tried downloading it just now. It works, finally!

nslookup on nodejs.org gives this

Non-authoritative answer:
Name: nodejs.org
Address: 165.225.133.150

[jwalton]

Here's a report from someone getting AirServer directly from home, and then spontaneously switching to the correct binary: http://www.reddit.com/r/node/comments/3ajhfc/malware_on_nodejsorg/.

For those affected; if you could post a traceroute nodejs.org (linux or OS/X) or a tracert nodejs.org (windows) from you affected machine, the results would be interesting.

[misterdjules]

Downloads from nodejs.org now use HTTPS by default. While it's not a solution to these types of issues, if the problem reporter here is due to a man in the middle attack, using HTTPS should help prevent it.

@ridvann Could you please try to reproduce the problem you have when downloading files behind your proxy and let us know if enabling HTTPS at least warns you or prevents you from download the AirServer installer?

Please be mindful that it only guarantees you that the content you download is sent from nodejs.org, it does not guarantee you that the content hasn't been tampered with. For that, you'll need to verify the digital signatures provided with each releases.

I also started a thread about a better UX to verify downloads of releases from nodejs.org. Your feedback about any concern you may have or about how you'd like to be able to verify downloads would be very much appreciated.

[ridvann]

@misterdjules The problem did not occur with HTTPS.

Thank you for your interest

Best regards

[misterdjules]

@ridvann Do you mean that before nodejs.org changed download links to be HTTPS by default, you could always (100% of the time) reproduce the problem (download the AirServer installer instead of the Node.js installer) when downloading Node.js from behind your proxy, and that now when downloading Node.js behind your proxy you always get the Node.js installer?

If so we will close this issue. Thank you again for your help! 👍

[misterdjules]

@ridvann Closing as it seems to be fixed, but please feel free to comment if I misunderstood your latest comment and I'll reopen.

[ridvann]

@misterdjules If I write something similar again.

Thank you very much for your concern.

Best Regards