As far as I remember, uTorrent has an internal auto-update functionality that interrogates the server for a new version. I wonder how well that is secured and if owning utorrent.com is enough to distribute a malicious update to all users unfortunate enough to start the application while owned.
I'm very wary about auto-updates that pull executables (as opposed to merely data) in this way. It's one thing for Chrome to do it, I assume Google does it in a way that's safe. But freeware/shareware projects? Not so much. Hell, who's to say the authors don't lose interest in two years and let the domain expire. I had one freeware or open-source app that didn't even have the courtesy of asking, it just pulled fresh binaries and restarted -- ouch. (At least you could disable this feature in the preference.)
For example, VLC (and, IIRC, Firefox) uses asymetric crypto to sign the update messages and the binaries. And the private keys are in none of the VideoLAN servers, but in other secret locations.
So, if the server is hacked, or a DNS is spoofed, you cannot make auto-update pull broken/malware binaries.
The problem is that, if your update process is buggy in some release, you loose those users forever...
from what I've gleaned from being a uTorrent user, it interrogates the server for a .torrent file and then downloads that torrent from a tracker they run. presumably, anyone who owns the host of the .torrent, or anyone who owns the tracker, could own the update download -- though I'm not sure whether they use technologies like code signing at all to verify that the bits are their own.
I installed it recently and even though I tried being careful not to install anything unnecessary, it tricked me into it! There was a checkbox saying something like "accept terms and conditions and install Bing toolbar", and I only readbthe beginning and left it checked as Eulas have conditioned me (of course I had accepted terms and conditions of utorrent before that).
Optional adware I can deal with in an otherwise open source application, but I've never understood why anyone would use a closed source bittorrent client if they ever plan on committing copyright infringement.
Basically the idea is to get an Authenticode certificate and sign the update .exe with it. Then, when a program checks for an update and pulls it down, it would validate the package signature and will not proceed if the details - the application and the certificate subject names - are wrong. It is as simple as it gets.
[+] [-] morsch|14 years ago|reply
I'm very wary about auto-updates that pull executables (as opposed to merely data) in this way. It's one thing for Chrome to do it, I assume Google does it in a way that's safe. But freeware/shareware projects? Not so much. Hell, who's to say the authors don't lose interest in two years and let the domain expire. I had one freeware or open-source app that didn't even have the courtesy of asking, it just pulled fresh binaries and restarted -- ouch. (At least you could disable this feature in the preference.)
[+] [-] jbk|14 years ago|reply
So, if the server is hacked, or a DNS is spoofed, you cannot make auto-update pull broken/malware binaries.
The problem is that, if your update process is buggy in some release, you loose those users forever...
[+] [-] pdaddyo|14 years ago|reply
[+] [-] vogonj|14 years ago|reply
[+] [-] eyko|14 years ago|reply
[+] [-] ntoshev|14 years ago|reply
[+] [-] baddox|14 years ago|reply
[+] [-] DrJ|14 years ago|reply
[+] [-] latitude|14 years ago|reply
https://github.com/apankrat/assorted/blob/master/validate_pa...
Basically the idea is to get an Authenticode certificate and sign the update .exe with it. Then, when a program checks for an update and pulls it down, it would validate the package signature and will not proceed if the details - the application and the certificate subject names - are wrong. It is as simple as it gets.
[+] [-] streptomycin|14 years ago|reply
[+] [-] agravier|14 years ago|reply
[+] [-] ploxination|14 years ago|reply
[deleted]