If I click on a download link on a page that uses ssl, will the download also use ssl?
If the answer is not (or: sometimes yes, sometimes not) - is there any way I can force it to be protected?
I'm asking this because downloading a program, and having it being tampered on the way can be just as bad, if not worse, than having a web page or my request of it, tampered or intercepted.
When you "download from a page", this means that you are actually following a link. Somewhere in the HTML source for the page is the link which states where the file actually is.
The download will use HTTPS if the link says so; it will use HTTP if the link says so. That the page itself was obtained with SSL is quite orthogonal: a page obtained over SSL may contain a non-SSL link, and vice-versa. If the link is a "basic link" then letting your mouse cursor "hover" over the link allows your browser to display somewhere in a status bar (traditionally at the bottom of the window) what URL it will actually use when you click; that way, you can see whether the download will use SSL or not.
(If the link in the HTML page is relative -- it does not specify a server name or protocol, and points to a file on the same server -- then the same protocol as the one used to obtain the HTML page will be used. However, a "full link" can also be specified, and will include an explicit protocol, which will be https:// or http://, for, respectively, SSL and not-SSL.)
Edit: an example of "hovering":
When I bring my mouse over the "Windows Installer (64-bit)" link, the browser displays at the bottom the link which will be followed for this download. That URL begins with https://, so that download will use SSL.
(Browser here is Chromium on Linux; details of such link displaying depend on OS and browser.)
Some software packages may benefit from additional protection. For instance, installer packages for Windows can be signed; the signature gives you some strong guarantee against modification of data in transit, regardless of how you obtained the file. Another traditional method is with hash values: an SSL powered Web site lists the hashes of the files (with some hash function like MD5); you can recompute the hash on what you downloaded and see if it matches the values on the Web site (see this page for an example, in the case of the ISO images for installation CD/DVD for the Ubuntu operating system).
These methods allow for decoupling the transfer method from the verification. That way, you can get the files from efficient mediums (e.g. some peer-to-peer protocol) and yet verify that you obtained the genuine thing.
If the link is relative, then yes, it will use the SSL. If the link is absolute it will use whatever the hard coded value is, which could be either http or https.
You cannot force it to be protected as some sites do not support SSL as it requires a certificate and additional server setup.
Not always and most of the time there is little you can do.
First thing first. What are you downloading that has to be secure? If it's an image of your family then fine. If it's a trial software then forget it, who cares. I explain why I say this in one of the comments below.
Small websites will have the files on the same server as the website pages are located so it will most likely be https. To be sure, hover the mouse cursor above the link and look at the status bar.
Large websites are using multiple content distribution networks and it may or not be https. It really depends on the service level they have with the distribution network.
The easiest way to be sure is to right click the link and copy the link. Paste it on your address bar and add the s after the http if it's not there already. If you get an error then the download server doesn't have a certificate installed and there is no other option.
If it's a trial software then forget it, who cares. - What do you mean? What if someone replaces it with a virus infected version in transit?