|
Register | FAQ | The Twelve Commandments | Members List | Calendar | Arcade | Find the Best VPN | Today's Posts | Search |
| LinkBack | Thread Tools | Display Modes |
| ||||
Quote:
So don't worry from where that XML file comes from. If it validates, then it was created by LimeWire LLC itself, and nobody else, not even any LimeWire open source developers). The LimeWire will not display such update notice from any version XML file with the wrong signature, and will discard it if you attempt to modify it). See it like emails you receive from anywhere but that for which you can trust its origin as it contains a cryptographic signature. LimeWire has not, and will not reveal its own encryption private key needed to create or update that file. A non-LimeWire release created from the open sources would likely discard the Limewire notice or would embed the public key of the creator of that alternate release, instead of the LimeWire LCC public key, so that this alternate version can distribute its own version.xml file. (Note that version.xml is not purely a XML file: it just appears to have an XML content, but is followed by the cryptographic signature.) This security is based on the fact that if you can trust Limewire LLC to distribute the genuine version of Limewire that you are using, then you could trust Limewire LLC's signature used for its updates. The same technic is used in general by all software distributors as well (the public key is generally encapsulated within a public certificate, stored and validable in a trustable PKI provider, which acts as the escrow for attesting that the author's identity shown in the certificate has been verified and is not patently false; this PKI can also provide information about the status of a certificate, for example if it has been compromized, and can tell you if the certificate is still valid, or if it has been invalidated by its original author). Limewire can embed one or more public keys in each release: older ones (if they have not been compromized), and the most recent one. These public keys allow accepting update messages for all future versions that will be advertized and created using the corresponding private keys. If someone does not upgrade immediately, and several major versions have been released, may be sometime in the future, none of its embedded public key will match the update messages for these future versions, if they are not created using one of the private keys corresponding to the public keys embedded in an old distribution used by some user. It will take years before this happens, unless a private key has been compromized: * For example if the LimeWire LLC private key appears to have been stolen by someone to create a volontarily broken version of Limewire, something that has still never happened, * or if the cryptographically strong signature algorithm gets broken Limewire uses a signature based on the wellknown irreversible SHA-1 cryptographic digest algorithm, which is still still safe for now; Limewire could switch at any time to a even stronger algorithm such as SHA-256 or SHA-512 which is supported now natively in Java 1.4.1+. Would the strength of this digest be ever compromized, the whole planet would be largely informed because this encryption algorithm is constantly monitored by lots of security companies. Breaking this digest algorithm is still a very challenging and difficult problem worldwide, needing lots of costly resources. When this will occur, LimeWire would immediately change its signature, and would inform users on its web site that new update notifications will use a new key, and won't be delivered to users of old versions, that will have to update manually. No one can predict when such event will ever occur (those that would attempt to break the encryption algorithm would likely use their discovery fro more "profitable" criminal actions than just building a P2P servent, which can be freely downloaded from a wellknown source; if this ever happened, this forum would be filled with warning notices about fake and viral Limewire versions). These considerations are true for any software that embeds a internet update system, including Microsoft Update, antivirus updates, Java auto updates, and so on...
__________________ LimeWire is international. Help translate LimeWire to your own language. Visit: http://www.limewire.org/translate.shtml Last edited by verdyp; November 25th, 2005 at 04:42 PM. |
| |
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
why is 3.8.1 labeled "beta" | sdsalsero | LimeWire Beta Archives | 1 | February 9th, 2004 01:10 PM |
Turn Off "Verifying File" & "Saving File" | YoCraig | New Feature Requests | 8 | November 28th, 2003 05:05 PM |
LimeWire Pro 3.6.10 Beta "Thumbs Up" | JPM1920 | General Mac Support | 0 | November 3rd, 2003 11:47 PM |
Need Gnotella 1.0 Beta Testers | shaun | Gnotella (Windows) | 2 | July 20th, 2001 11:29 AM |