This is part 2 of the series, part 1 is here.
Before describing how an auto-update feature might work I wanted to talk a bit about security, an auto update feature by definition downloads and runs program from the internet, your users trust you that your auto-update mechanism will only download and install updates to your software – don't abuse this trust.
The internet is a dangerous place, the bad guys might find a way to modify your web site – or to completely hijack it, when your program downloads updates it has to be 100% sure those updates are from you and not some hacker.
Verifying updates when you can't trust the source sound like a difficult task but it's not, that what digital signatures are for.
Just follow those simple rules:
- Don't ever write your own encryption or digital signature code.
- Always digitally sign your updates
- Don't ever write your own encryption or digital signature code – even if you think you know what you are doing.
- Embed the public key in your program.
- Keep the private key secure, never upload it to any internet server.
- Don't ever write your own encryption or digital signature code – even if you really know what you are doing.
- In your program never install (or even unpack) any file that doesn't have a signature or has an invalid signature, test those cases before releasing the software.
- Use a big key, larger then 1024 bits (1024 bits in the default in many systems and is still secure but may be cracked soon, just use a larger key). And finally, don't ever write your own encryption or digital signature code.
As you might guess from the list the most important thing is to use a digital signature library that is widely used and has been written and reviewed by experts, .net has System.Security.Cryptography, Win32 has CryptoAPI and most other platforms also have cryptography libraries – use them.
In the next post in this series I'll write about the inner working of an auto update feature.
posted @ Wednesday, June 20, 2007 11:34 AM