-
Checking update file’s signature is a strong enhancement. If you didn’t implent it, I would suggest this schema and it would be as strong as signature check:
1-Use/add auto pgp check to update file for the possibility of file signatures isn’t available anymore for any reason.
2-Implement dns-over-https to wingup(updater i think)
3- use hsts(forced dns-level-https), ca record(certificate authority that who can give certs to the domain) for dns record (should be extended by online dns health checkers)
4-use 40-day certs from letsencrypt5-this is the key point: do not use remote hosting services for both website and update host, like linus torvalds do, because you will be sharing your https certificates with your hosting provider. We want to keep https certs keep away from 3th parties.
2 possible schema are:
5.1-if your home internet speed is fast enough, setup your own web server to your pc under virtualbox(in case of web server software cve’s/rce’s). I or anyone can help with that. Dont forget to hardening server for security.
5.2-If your internet speed is slow, setup your own server to your pc but provide a smaller downloader-setup. They are usually under 100kb but dont forget to implement it signature/pgp checks, and dns settings like hsts/ca. Simple tls-check-hardened curl command may help for downloading. After download, do a final cert issuer check and/or pgp check to the setup file. I dont know if its ok to use github as hosting service for downloading real-bigger setup file from smaller-downloader setup. Anyway you can use any hosting services at this point to download bigger-real setup like Steam does, because from now on, the smaller-downloader setup is now aware of non-legitimate/compromised setups! You can even use alibaba cloud. Small-downloader setup is from -> authors own pc, bigger setup is from -> anywhere you want. Thanks to the sign checks!
You can’t use cloudflare or similar in these schemas, unless you trust cloudflare… (we dont want to trust anyone, right?)
If you want to/and you should, hide your home ip, you can rent a small vps for its dedicated ipv4, and redirect port 80 and 443 to your home server. Better setup a vpn to the vps, so, you dont need an all-ports-forwarded dedicated ip at your home which usually cost some dollars by your home ISP. Or simply you can use a vpn with port forwarded dedicated ip which is less then 20$/mo.
In the smaller-downloader file and to wingup(updater inside real editor, npp), an embedded/hardcoded dns-over-https (DoH) would be a good security measurement for hardening purposes.
I can provide further advices to the author of npp, directly to him as private.
Edited: version 5
-
P PeterJones moved this topic from Notepad++ & Plugin Development
-
I moved this to the Security section, not the general development section.
The Developer doesn’t read the majority Community forum posts, so if these were meant as advice to the Developer, it won’t make it to him.
Further, the security enhancements made from last summer through now have implemented some or all of the suggestions you already made (or better versions thereof: no reason to check gpg signatures auomtatically when it checks for valid code-signing certificate when it downloads the updater). Before offering advice or trying to contact the developer through the Issues interface in the repo, if I were you I’d take some time to actually read through the history of the various events since last summer as well as the fixes made over the last months, to make sure that your suggestions aren’t already implemented.
BTW:
5.1-if your home internet speed is fast enough, setup your own web server to your pc under virtualbox(in case of web server software cve’s/rce’s). I or anyone can help with that. Dont forget to hardening server for security.
IMO, this is BAD advice. To suggest to a non-security specialist who runs this as a hobby, that he should self-host, and try to keep up on all the security hardening, is asking him to get hacked even worse than the hack that already happened. He was literally paying a host to provide such services, and the professionals failed; he has now changed providers to a host who has better security procedures.
-
@PeterJones
I believe i read history, there are always more to do when its about security. It’s easy to read and may help npp’s security measurements significantly. I don’t think all of my suggestions already implemented. -
BTW:
5.1-if your home internet speed is fast enough, setup your own web server to your pc under virtualbox(in case of web server software cve’s/rce’s). I or anyone can help with that. Dont forget to hardening server for security.
IMO, this is BAD advice. To suggest to a non-security specialist who runs this as a hobby, that he should self-host, and try to keep up on all the security hardening, is asking him to get hacked even worse than the hack that already happened. He was literally paying a host to provide such services, and the professionals failed; he has now changed providers to a host who has better security procedures.
Believe me it’s not that hard to setup a webserver or harden it, especially while backed by a strong community. The risks are different when hosting at home between hosting remotely. The hosting firm may be offered money to hijack, or an out-of-date hosting management software had rce was waiting to be abused.
