wincompose icon indicating copy to clipboard operation
wincompose copied to clipboard
verified publisher icon samhocevar

use HTTPS on domain, sign installer executables.

Open indrora opened this issue 9 years ago • 4 comments

WinCompose isn't a huge target, but it's still better to run update manifests over HTTPS. With Let's Encrypt becoming a thing, it's cheap-as-free to get good HTTPS/TLS certs.

A theoretical attack would let someone attack a winCopose user by presenting updates that weren't real.

indrora avatar Jun 13 '16 04:06 indrora

I’m not sure HTTPS is necessary against this attack scenario. WinCompose has to trust the binary it downloads, not necessarily the connection, so just signing the manifest with a key or certificate that WinCompose then verifies seems to be enough. What do you think?

samhocevar avatar Jun 13 '16 20:06 samhocevar

I agree that HTTPS should be used. It shouldn't be possible for an attacker to gather information about which version of WinCompose the user runs.

ChristianKleineidam avatar Aug 25 '16 10:08 ChristianKleineidam

Signing the manifest is OK, but would entail making sure the crypto was done right.

HTTPS with cert pinning is probably the Best Optionâ„¢.

indrora avatar Nov 04 '16 05:11 indrora

A bump, four years later.

Windows Defender actively marks WinCompose updates as potentially malicious and requires multiple speedbumps to download and launch the installer because it is an unsigned executable downloaded over HTTP. Additionally, Chrome and Edge both treat the executable as potentially malicious as the download is coming from an insecure domain.

Documentation on code signing: https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/get-a-code-signing-certificate

indrora avatar Sep 09 '21 19:09 indrora