There should be no security risk whatsoever with this - do you have a specific concern or is it simply that the query is via http: rather than https:?
The firmware update available query has no value in itself being sniffed and if someone were able to fake an “update available” response and intercept the firmware file download and replace it with another file then there are many other factors in play that prevent this being any kind of worthwhile attack vector.
I don’t have a specific concern, and we know the downloaded firmware files have proper checksums embedded.
It was just a general concern as the “standard” for such transfers is moving to all HTTPS to avoid potential spoofing, even for such things as live audio streams from radio stations.
It’s more than that though Bill, anything nefarious would need to be developed for such an obscure and incredibly specific platform (and the different subsystems would have to be written to work together to achieve whatever goal the “hacker” wanted because - for example - the Control Board has no access to the network, that’s done by the streaming board so the streaming board would need to be separately programmed as well) that it would essentially just be a non-starter for anyone to spend the time and effort doing and spoofing - there are no “dCS Streamer” IDEs - and of course we use FPGAs rather than CPUs which means that as a platform it’s just an absolute nightmare for anyone to even start to think of doing anything with - and we don’t support WiFi either so there’s very little that it could even do in the way of sniffing network traffic and as such would be pretty useless as an attack vector…
…so hopefully a decent example of the phrase “Security through obscurity”, especially when it’s far easier to get someone to willingly hand over their details by offering them the chance to see who’s “Unfriended” them or who’s viewed their profile on Facebook.