JDownloader Community - Appwork GmbH
 

Reply
 
Thread Tools Display Modes
  #1  
Old 08.11.2024, 22:06
bugnotme bugnotme is offline
BugMeNot Account
 
Join Date: Apr 2013
Posts: 403
Question jdownloader updates over insecure connections?

Hi

I'd like to know how jdownloader works when doing updates.
Does it force an https connection to the update site? Or does a digital signature verification?

Verifying a checksum is not enough since over an insecure connection an attacker can spoof the checksum value.

I've accidentaly updated jdownloader over an insecure connection and now I'm concerned about the possibility of malware injection.

For those who think this is paranoia. It is not. It does happen. And has been the case for more than a decade. Example: **External links are only visible to Support Staff****External links are only visible to Support Staff**

I tried searching the knowledge base but couldn't find anything.
Any replies from the developers or link to docs or knowledge base is appreciated.

Thanks
Reply With Quote
  #2  
Old 16.11.2024, 17:17
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 81,684
Default

Sorry for late response/reaction. Oversaw this one.

Updates are secured by End-to-End signatures (SHA256withRSA). End-to-End means that the build system signs each individual update step (ADD, REMOVE, MODIFY, DELTA, DEDUPE) for each file and revision and pushes those signed update packages to the update server. That means the update server itself is not able to push other changes or alter the files as it doesn't hold any private keys. The client then can verify each single update step for each file in update package as the public key is known to it. Build/Signing happens locally/on-premise while the update/cdn servers are running in the *cloud*/internet on our own dedicated servers.

The communication with the update server is using https connection.
Due to the selected cipher suites/settings, very very very old Java 1.6,1.7 and very old Java 1.8 runtimes cannot connnect via https and fallback to http. As all JDownloader.jar since more than 12 years can still connect/update fine, those outdated/old JDownloader.jar of course also don't use http initially.

The cdn/download connections are not fully deployed with https yet and thus mainly use http for update downloads.
This is work in progress and topic of change.

In case you've got further questions, please don't hesitate and just ask
__________________
JD-Dev & Server-Admin

Last edited by Jiaz; 16.11.2024 at 22:10.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT +2. The time now is 12:35.
Provided By AppWork GmbH | Privacy | Imprint
Parts of the Design are used from Kirsch designed by Andrew & Austin
Powered by vBulletin® Version 3.8.10 Beta 1
Copyright ©2000 - 2025, Jelsoft Enterprises Ltd.