Updates are downloaded over HTTP with no authentication.

[takeyourhatoff]

Currently updates are downloaded over HTTP without any authentication whatsover. This is dangerous because anybody at a priviliged point on the network of a user of OpenELEC can trigger an update at any time and own the device.

[chewitt]

The "About" screen in the settings addon currently shows whether a build is "official" or "unofficial" though anyone can create an "official" build if they set buildsystem config correctly. It we move to a signed binary regime to validate authenticity of the files it would be a good place to show the builds "signed" or "unofficial" status. Aside from that I would not draw much attention to the signed/unsigned status of builds as most of our userbase couldn't care about it and we currently have ~9000 users running unofficial builds; mostly users of arm devices where platform support is "work in progress" and where self-building is actively encouraged (64% of that number are pi users). I don't see any point in using SSL for downloads as certificates authenticate the interface of the host we serve from and most hosts are not under our control (we use mirrorbrain to distribute load) and even for our own boxes we cannot guarantee their security when they are managed by an ISP in a shared colo facility that we ultimately have zero oversight on.

[takeyourhatoff]

Yes, that seems reasonable. Self builds should get a whole lot safer if my patch is applied to verify the checksum of all downloaded sources. I don't have time to write the sig verify code until next week and don't want to start if there is no chance of it being accepted. On 5 Jan 2015 15:48, "Christian Hewitt" notifications@github.com wrote:

The "About" screen in the settings addon currently shows whether a build is "official" or "unofficial" though anyone can create an "official" build if they set buildsystem config correctly. It we move to a signed binary regime to validate authenticity of the files it would be a good place to show the builds "signed" or "unofficial" status. Aside from that I would not draw much attention to the signed/unsigned status of builds as most of our userbase couldn't care about it and we currently have ~9000 users running unofficial builds; mostly users of arm devices where platform support is "work in progress" and where self-building is actively encouraged (64% of that number are pi users). I don't see any point in using SSL for downloads as certificates authenticate the interface of the host we serve from and most hosts are not under our control (we use mirrorbrain to distribute load) and even for our own boxes we cannot guarantee their security when they are managed by an ISP i n a shar ed colo facility that we ultimately have zero oversight on.

— Reply to this email directly or view it on GitHub https://github.com/OpenELEC/service.openelec.settings/issues/57#issuecomment-68726393 .

[chewitt]

I'm closing this down as it's not something practical to implement. Thanks.