search

diladele / squid-windows

Squid Proxy built for Microsoft Windows
GNU General Public License v2.0
185 stars 40 forks source link

Website Download - Please show checksums #82

Open JavaScriptDude opened 5 years ago

JavaScriptDude commented 5 years ago

Can you please add SHA1 and/or MD5 checksum for the binary downloads to your website? At present, there is no way to safely check besides sandboxing the installer.

JavaScriptDude commented 5 years ago

Could you also please add clear version information to the msi file name, the service registration and the installer registration info. All this will help users.

To go a bit further for this, It may be a good idea to post a change log to github with the file name (including version), and the checksum of the msi installer. This will further enhance users ability to verify that the msi downloaded is valid.

ra-at-diladele-com commented 5 years ago

Yes will try to push it into the task line. In the mean time - if MSI downloaded is incorrect then the signature shall fail? We sign MSI with our code certificate. If MSI is not signed it is not recommended to run it in the first place.

JavaScriptDude commented 5 years ago

Good point about the code signing. It definitely makes me feel better about the security.

I'm not sure but there may still be some abilities that a new MSI could be generated and signed to replace the original either through a MITM attack or by having the source file changed on a hacked site. Its definitely an edge case but more checks would not hurt would greatly increase the comfort level of the extra paranoid like myself.

I recall at a big corporation seeing someone accidentally downloading a rogue ssh client for windows and putting it onto a DMZ jump box. That epic fail has made me extra wary of verifying downloads ever since. Ironically, I had installed the correct ssh client on the same jump box several months prior but the user just did not check and assumed it was not installed yet.

ra-at-diladele-com commented 5 years ago

Trust me - getting a code signing certificate is very complex. I would not worry about hackers in this case – the rougue ssh client was not signed properly most probably.

From: JavaScriptDude notifications@github.com Sent: Wednesday, 27 March 2019 19:39 To: diladele/squid-windows squid-windows@noreply.github.com Cc: Rafael Akchurin rafael.akchurin@diladele.com; Assign assign@noreply.github.com Subject: Re: [diladele/squid-windows] Website Download - Please show checksums (#82)

Good point about the code signing. It definitely makes me feel better about the security.

I'm not sure but there may still be some abilities that a new MSI could be generated and re-signed to replace the original either through a MITM attack or by having the source file changed on a hacked site. Its definitely an edge case but more checks would not hurt would greatly increase the comfort level of the extra paranoid like myself.

I recall at a big corporation seeing someone accidentally downloading a rogue ssh client for windows and putting it onto a DMZ jump box. That epic fail has made me extra wary of verifying downloads ever since. Ironically, I had installed the correct ssh client on the same jump box several months prior but the user just did not check and assumed it was not installed yet.

— You are receiving this because you were assigned. Reply to this email directly, view it on GitHubhttps://github.com/diladele/squid-windows/issues/82#issuecomment-477297437, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ACbT1nArjVE4Pidv99O3qh5qg-4sCeTxks5va7rNgaJpZM4aXJez.