Jump to content
Not connected, Your IP: 34.238.248.103
LZ1

AirVPN.exe Unknown Publisher

Recommended Posts

Hello!

 

I'm new and happy to be a part of this great thing.

 

I just have 1 question and I tried looking around to no avail. I just wondered: why doesn't Eddie have "AirVPN" or something similar, as its "Publisher" when downloading the installer?

Isn't this normally bad practice and/or potentially insecure? I checked my hashes and all and I think I'm in the clear regardless. But is this intentional and if so, why?

 

Thank you


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

This requires to obtain a special "Code signing" certificate from a trusted Certificate Authority (CA).

While most trusted software packages want to have this kind of a signature for their installer

packages, the fact that AirVPN is providing a free, open-source client actually makes this a little

redundant.

 

Let me try to explain why.

The code signing certificates can be potentially issued to anyone claiming to have a brand. There

are many examples where a person can obtain a certificate for an entity he doesn't control, just for

example, if you now register a domain such as AirVPN.nl, and would like to have a code signing

certificate for this entity, you will most likely be granted to have it for something like ~$100/year.

 

So you have to check even signed executables very carefully, they don't mean anything except

that the publisher was partially verified by a CA. Just like you cannot trust a site with SSL green

"lock" not to be malicious, for the matter. This is only a small part of the bigger picture.

A Windows "code signing" certificate is relatively easy to obtain (unlike the Windows Driver

signing certificates that are much harder and require physical contact with Microsoft).

 

There are many examples of Adware programs that do have a code-signature, just to name

a few, anything you download from these shady "Registry/PC cleaning" websites will be signed,

usually by some east-European or Asian company, like one of the hundreds examples:

https://forums.malwarebytes.org/topic/165518-adware-digitally-signed/

 

What you have to do, if you want to maintain security, is to verify the hashes of the AirVPN client

you are downloading, and the hashes are available just near the download button, you can't miss it.

This will not only ensure that you download the trusted, unmodified installer, it will also mean that

every time you upgrade it you can still rely on the new hashes that are published by the authors.

The way software is distributed in other platforms, such as *nix, already have this imlementation

for years, and usually the package manager does the signature verification for you transparently.

This process ensures integrity on much higher levels than just checking the issuer brand/email.

 

So, to summarize, the code signing certificate only adds a cosmetic "trust", where the real trust should

be based on what you download, from which origin, and the best of course is - is this software really

open source and can be built on your own system, producing the same executable? (deterministic builds).


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Thank you very much for that detailed explanation! That was excellent. I understand now.

CA's seem quite useless, when put like that. But isn't there some sort of danger of impersonation? Like, couldn't someone

else take AirVPNs brand name and start issuing malicious versions of their software, especially as the code for the software is open-source?


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

They can.

The higher danger is usually with bigger brands that have many distribution platforms.

For example, it is really hard for popular P2P or music apps to verify their integrity with

their potential users, since any *torrent client downloaded from some 3d party location

can be bundled with adware/malware, just like happened before with CNET and SourceForge.

AirVPN however has only 2 official locations, the SSL website and Github source tree.

 

This is why you have to download it only from https://airvpn.org/windows or from Github,

and then verify the hashes.

Any other builds should be considered untrusted.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

I see.

 

Thank you very much :]


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...