Quote:
Originally posted by et voilą Just a thought: what about security and the in network updating? I've always been wary of upgrade notifications in the past on LW: what certifies you there is no false signal spreading letting you know that a real new version is available?
Merci |
The version.xml file that gets downloaded on startup or when it is discovered on the network is cryptographically signed with the LimeWire private key. It is only valid if this encrypted signature matches after decrypting it using the LimeWire public key.
So don't worry from where that XML file comes from. If it validates, then it was created by LimeWire LLC itself, and nobody else, not even any LimeWire open source developers). The LimeWire will not display such update notice from any version XML file with the wrong signature, and will discard it if you attempt to modify it). See it like emails you receive from anywhere but that for which you can trust its origin as it contains a cryptographic signature.
LimeWire has not, and will not reveal its own encryption private key needed to create or update that file. A non-LimeWire release created from the open sources would likely discard the Limewire notice or would embed the public key of the creator of that alternate release, instead of the LimeWire LCC public key, so that this alternate version can distribute its own version.xml file.
(Note that version.xml is not purely a XML file: it just appears to have an XML content, but is followed by the cryptographic signature.)
This security is based on the fact that if you can trust Limewire LLC to distribute the genuine version of Limewire that you are using, then you could trust Limewire LLC's signature used for its updates.
The same technic is used in general by all software distributors as well (the public key is generally encapsulated within a public certificate, stored and validable in a trustable PKI provider, which acts as the escrow for attesting that the author's identity shown in the certificate has been verified and is not patently false; this PKI can also provide information about the status of a certificate, for example if it has been compromized, and can tell you if the certificate is still valid, or if it has been invalidated by its original author).
Limewire can embed one or more public keys in each release: older ones (if they have not been compromized), and the most recent one. These public keys allow accepting update messages for all future versions that will be advertized and created using the corresponding private keys.
If someone does not upgrade immediately, and several major versions have been released, may be sometime in the future, none of its embedded public key will match the update messages for these future versions, if they are not created using one of the private keys corresponding to the public keys embedded in an old distribution used by some user.
It will take years before this happens, unless a private key has been compromized:
* For example if the LimeWire LLC private key appears to have been stolen by someone to create a volontarily broken version of Limewire, something that has still never happened,
* or if the cryptographically strong signature algorithm gets broken
Limewire uses a signature based on the wellknown irreversible SHA-1 cryptographic digest algorithm, which is still still safe for now; Limewire could switch at any time to a even stronger algorithm such as SHA-256 or SHA-512 which is supported now natively in Java 1.4.1+. Would the strength of this digest be ever compromized, the whole planet would be largely informed because this encryption algorithm is constantly monitored by lots of security companies. Breaking this digest algorithm is still a very challenging and difficult problem worldwide, needing lots of costly resources.
When this will occur, LimeWire would immediately change its signature, and would inform users on its web site that new update notifications will use a new key, and won't be delivered to users of old versions, that will have to update manually. No one can predict when such event will ever occur (those that would attempt to break the encryption algorithm would likely use their discovery fro more "profitable" criminal actions than just building a P2P servent, which can be freely downloaded from a wellknown source; if this ever happened, this forum would be filled with warning notices about fake and viral Limewire versions).
These considerations are true for any software that embeds a internet update system, including Microsoft Update, antivirus updates, Java auto updates, and so on...