#1
|
|||
|
|||
jdownloader updates over insecure connections?
Hi
I'd like to know how jdownloader works when doing updates. Does it force an https connection to the update site? Or does a digital signature verification? Verifying a checksum is not enough since over an insecure connection an attacker can spoof the checksum value. I've accidentaly updated jdownloader over an insecure connection and now I'm concerned about the possibility of malware injection. For those who think this is paranoia. It is not. It does happen. And has been the case for more than a decade. Example: **External links are only visible to Support Staff****External links are only visible to Support Staff** I tried searching the knowledge base but couldn't find anything. Any replies from the developers or link to docs or knowledge base is appreciated. Thanks |
#2
|
||||
|
||||
Sorry for late response/reaction. Oversaw this one.
Updates are secured by End-to-End signatures (SHA256withRSA). End-to-End means that the build system signs each individual update step (ADD, REMOVE, MODIFY, DELTA, DEDUPE) for each file and revision and pushes those signed update packages to the update server. That means the update server itself is not able to push other changes or alter the files as it doesn't hold any private keys. The client then can verify each single update step for each file in update package as the public key is known to it. Build/Signing happens locally/on-premise while the update/cdn servers are running in the *cloud*/internet on our own dedicated servers. The communication with the update server is using https connection. Due to the selected cipher suites/settings, very very very old Java 1.6,1.7 and very old Java 1.8 runtimes cannot connnect via https and fallback to http. As all JDownloader.jar since more than 12 years can still connect/update fine, those outdated/old JDownloader.jar of course also don't use http initially. The cdn/download connections are not fully deployed with https yet and thus mainly use http for update downloads. This is work in progress and topic of change. In case you've got further questions, please don't hesitate and just ask
__________________
JD-Dev & Server-Admin Last edited by Jiaz; 16.11.2024 at 22:10. |
Thread Tools | |
Display Modes | |
|
|