Hi all,
from time to time I’m downloading apps from the internet. Some come with SHA1 keys depicted on their website, and it is easy enough to check if the file has the same key.
HOWEVER:
Someone hacks your website and modifies your file, they can easily change the displayed SHA1 key too. Are you likely to notice? No.
So is there a way to ensure people really download the real file?
TiA
Markus
Yes, this is called AppStore.
Not that I can think of.
What about something like this:
Nothing is foolproof though - not even the much-beloved-of-the-fans app store.
I started to think of complicated processor and was going to suggest the Application Integrity code I wrote for xDev… However if someone has hacked your site; chances are they’ll simple replace your downloads with their crap and the user is none the wiser until it’s too late.
You can get close to noticing with time. Record the SHA1 Key and return to the site a month later to see if it matches. Research if there’s been any hacker trouble with the site and if all is quiet I’d bet it’s safe (if the site is actively maintained).
It’s been a long time since I did this, here’s my 2p from past experience.
We bought one, but build a service on your lan that polls your site. Get it to download your app at random intervals from say 10 mins to 2 hrs (increase if site is low traffic) have it do a few other things like go from the home page to the download page etc so it looks like “standard” traffic. This will make it harder for the hackers to tell that you are monitoring the download if the site is compromised.
Now you do a few things like hash the source of the various pages on the site which you navigate to get to the download. Download those and check that they haven’t varied from previous versions. This will prevent them putting an altered site up there and linking to a new download when you are still checking the old working download.
The only real way around this is if the hackers figure out your monitoring IP and present you with the current site and give the rest of the world the new site and compromised download.
This was a recent compromise of a huge auto updating app that put a payload on everyone’s PC who wasn’t in the country of the developer.
The only way to get around this is to have a few different sites monitoring your site from different IPs and hope they don’t figure them all out. If you go this far have the other sites in varying poll delays and paths through the site.
Pretty easy to detect if you have the budget but make sure you have a locked down host in the first place and you shouldn’t need this, but it adds an extra piece of mind.
Hope this helps
Good luck
That’s exactly what happened to UnrealIRCd, and no one noticed for over 6 months. Their solution was to start signing the download with GPG.
Use a Xojo webapp to offer downloads, which pulls all information including the file and its hash from an encrypted database, and then monitor it. This webapp can also log all downloads and geolocalize them. Plus you can easily multiply it behind a haproxy for load-balancing.
… And then, I’m pretty sure that “hacker proof” ultimately does not exist