I've been blogging about this for some time... Looked into and tried various ways of shaming the major players and several smaller players into fixing up their act. In this document, the various companies names are links to bugs, forum posts, etc that document my efforts and their success, or lack therof.
I've been successful in getting a few (including Google) to clean up their act. (Well, actually I've only been fully successful with Google! Hey, Google, I would love to work at Google!)
I've been somewhat successful with a few (including Mozilla (Firefox, etc.), Objective Development (makers of LaunchBar, Little Snitch, Sharity and WebYep)) and Prey).
Frustratingly, I've been unsuccessful with most (Amazon, Adobe (Flash), Cisco, Ubuntu, Mozilla (Firefox, etc.), Microsoft (e.g. Silverlight and SkyDrive for Mac OS X cannot be downloaded securely; Microsoft Support confirmed this AND stated that they do NOT intend to address the problem), Apple (Mac OS X combo update SHA1 checksums are posted on https-accessible web pages, but they're mixed-security pages, and so still insecure. I reported this to product-security@ on Wed, 13 Dec 2006. However, they are still (as of October, 2011) serving even current combo updates via mixed-security web pages. Fortunately, they ARE now serving the combo updates themselves over https), ShedWorx (makers of Cosmos for iOS, Cosmos for Mac, VoltaicHD, RevolverHD, Jaksta, mkvWatch, HD Quick Look, Music Converter Pro 1.2 and Smart Converter Pro and non-Pro. Reported 09/20/2011, still insecurable 2/8/2012), OpenDNS (insecurable download links, for example for security tool dnscrypt), etc.)
It's really sad and pathetic that some of the biggest, richest companies in the world, like Microsoft, Apple, and Adobe set such a bad example for the smaller players. Their stubbornness is so severe it's starting to trigger conspiracy theories!
All of the major package managers for Linux try to be secure but all have vulnerabilities.
So, we need a well-maintained, well-publicized list that names and shames those that don't get with the program. This is that list.
-Matthew Elvey.
<== Accurate and convincing but tweaked logo.
Early 2011. (Initial version. Revised occasionally.)
June 7, 2011 (Version 1.2 - 1.4: add Adobe; add VC header; archive w/ WebCite® at http://www.webcitation.org/5zGxyVWa0).
Feb 8, 2012. (Version 1.5: add Shedworx)
Feb 25, 2012. (Version 1.6: add OpenDNS, update Adobe and this changelog)
Apr, 2012. (Add middle (yellow) category, color everything, more commentary.) Prototype => Alpha.
Feb 25, 2012: Adobe forum thread archived w/ WebCite®.
Oct 2, 2012: Deployed and Explored DMCA.com logo.
Feb 1, 2014: Progress! Apple and Microsoft have been getting much, much better about this. Need! : FinFly.
2018: Code Signing has ameliorated the problems at all of the companies, thanks to work by OS companies that make macOS, Windows and Linux to restrict execution of unsigned binaries.
Amazon , Adobe, Cisco, Ubuntu, Mozilla aren't really off the hook though. Users should know that this history shows that they have been, and I'd say remain, untrustworthy.