search

bruderstein / npppm3

Web Interface and server for Notepad++ plugin manager (v3!)
10 stars 3 forks source link

Support for current hash algorithms #14

Open chcg opened 7 years ago

chcg commented 7 years ago

See https://en.wikipedia.org/wiki/MD5#Security and https://en.wikipedia.org/wiki/SHA-1#Attacks, so maybe support sha2 or sha3.

On client side probalby just sha1 is available, see https://msdn.microsoft.com/de-de/library/windows/desktop/bb931357(v=vs.85).aspx I will have a deeper look at that.

bruderstein commented 7 years ago

Yes, i am aware of the security implications of MD5. But we'd need to support more on the server side (the server that validates) and in the client (PM). Once we have this MVP, then we can add to the functionality, and select some better hashing algorithms.

The attack vectors are very limited here though, it's more used just to identify that the correct file has been downloaded, and we can quickly mark a plugin file as bad if it starts doing evil things.

chcg commented 7 years ago

Yes, that is a future task after MVP. Keep just in mind as N++ is part of wikileaks https://notepad-plus-plus.org/community/topic/13402/dll-hack-in-notepad/

chcg commented 7 years ago

Unforunately to run the docker stuff on windows https://store.docker.com/editions/community/docker-ce-desktop-windows?tab=description

the win10 professional edition is needed. Just have the home variant and what is even worse my cpu doesn't support vitualization, so also the https://github.com/docker/toolbox is no option or a Linux VM :-(

bruderstein commented 7 years ago

Windows issues moved to #17