Jump to content

Digital signatures on updates


R1CH

Recommended Posts

Posted
There is no need to use encryption at all.
You encrypt/decrypt the hash, not the whole file.

Nice contradiction.

In any case, using something like openssl would increase the binary size (unless we link to it dynamically, which we don't really want to do. It would defeat the goal of being self-contained)

We'll see what we can do but don't hold your breath :?

As much as having the file size <100k is nifty, I think there are a number of users who would be happy to have the option of a few hundred extra kb for security libraries.

I mean, most bittorent users have broadband and at least a few meg free on their drive, so as long as it doesn't need to be installed and is under a meg I really doubt you'll see a single complaint.

You can always do a dual compile, assuming it wouldn't add too much work.

Posted

If a few kb smaller .exe is more important to you than the security of all your users, you have your priorities wrong...

Provided you only use the digital signature options in OpenSSL I don't think it adds that much overhead if your compiler is smart enough to only include the functions that are used from the .lib. I really hope you guys will add this soon.

Posted

R1CH knows his stuff. our names and site links were in the 2600 magazine because of us dealing with internet security (Winter 2003-2004 issue).

having a "<100K" app is cool and all - but it would be better to give people an added layer of protection. even if there is never a situation where uTorrent tries to download a malacious EXE, having the public/private key check would still make the program better overall.

what if some people never bother using uTorrent because of all the talk that it would allow your system to be comprimised because the writer thinks its better to have a smaller file size at the expense of a less secure product??

small size is cool - but more people would be happy with it as long as its light on resources and secure. having Azureus gobble up 80 megs on a system and 100% cpu isnt fun. uTorrent could be light on resources still while having the extra security thrown in.

Posted
...

what if some people never bother using uTorrent because of all the talk that it would allow your system to be comprimised because the writer thinks its better to have a smaller file size at the expense of a less secure product??

...

That better not be the case...if so, that particular writer needs to be paid a visit...*cough* with a baseball bat *cough*... :evil: That said, I have confidence that Ludde and Vurlix are on top of the situation and will provide us with the appropiate security. :)

Posted

R1CH:

There are inherent risks in all internet file downloads. And while your claims that this is possible are substantiated, the fact is that the RISK to information through utorrent is very LOW.

For one, there's a more likely chance of the person downloading something with utorrent through a torrent site that includes the EXEs of which you're speaking than it is that the scenario in which you have outlined would occur.

While I can agree that it can be nice to have some checking, the actual risk potential of this is happening is VERY low.

IMO if people are that worried about the auto updater, they could turn it off and visit the site itself instead.

Btw, what's up dude? haven't talked to you since Quakecon :D

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...