Topic "Website Feature Request: Download security information"

Author Message
ll137

Guest


Dear Martin,

First of all, thank you for a great program. I have donated on at least two occasions.

I seem to recall the download on the website got hacked a while back. At the time there was information about what a user should do to verify the download, but it seems this is now nowhere to be found. The download page gives checksums, but no information about how to verify these nor any information about the digital signature.

1. I realise users can search for how to compute checksums. It seems that in Windows this is not as straightforward as it should be - annoyingly Windows does not include these in the file properties and has no default utility either. Downloading a third-party tool takes some consideration.

2. Perhaps the checksums are not so important as the installer is digitally signed. However, no mention is made that the installer should be signed and who the author and the issuer should be. I don't know how easy it would be for a hacker to get a file signed by an authority recognised in Windows, but even if this is difficult, it would be prudent to make users aware that the real installer is signed. Unfortunately still a lot of software is unsigned and an existing user may not remember if WinSCP is supposed to be signed or might not pay attention.

A notice on the website would make users more aware and in the unfortunate event that the website is hacked again in future, alarm bells are more likely to go off for those returning for an update.

I realise of course if the website is hacked, checksums can be changed and notices can be removed, but at least existing users will realise something is wrong.

Thank you again.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24994
Location: Prague, Czechia
Thanks for your suggestion.

I do not remember our website ever got hacked.

Anyway, will document verification of the checksum and the certificate.
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24994
Location: Prague, Czechia
See
https://winscp.net/eng/docs/installation#verifying
https://winscp.net/eng/docs/ui_installer#uac
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License