LZ1 672 Posted ... Hello! I'm new and happy to be a part of this great thing. I just have 1 question and I tried looking around to no avail. I just wondered: why doesn't Eddie have "AirVPN" or something similar, as its "Publisher" when downloading the installer?Isn't this normally bad practice and/or potentially insecure? I checked my hashes and all and I think I'm in the clear regardless. But is this intentional and if so, why? Thank you Quote Hide LZ1's signature Hide all signatures Hi there, are you new to AirVPN? Many of your questions are already answered in this guide. You may also read the Eddie Android FAQ. Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you. Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily. Share this post Link to post
zhang888 1066 Posted ... This requires to obtain a special "Code signing" certificate from a trusted Certificate Authority (CA).While most trusted software packages want to have this kind of a signature for their installerpackages, the fact that AirVPN is providing a free, open-source client actually makes this a littleredundant. Let me try to explain why.The code signing certificates can be potentially issued to anyone claiming to have a brand. Thereare many examples where a person can obtain a certificate for an entity he doesn't control, just forexample, if you now register a domain such as AirVPN.nl, and would like to have a code signingcertificate for this entity, you will most likely be granted to have it for something like ~$100/year. So you have to check even signed executables very carefully, they don't mean anything exceptthat the publisher was partially verified by a CA. Just like you cannot trust a site with SSL green"lock" not to be malicious, for the matter. This is only a small part of the bigger picture.A Windows "code signing" certificate is relatively easy to obtain (unlike the Windows Driversigning certificates that are much harder and require physical contact with Microsoft). There are many examples of Adware programs that do have a code-signature, just to namea few, anything you download from these shady "Registry/PC cleaning" websites will be signed,usually by some east-European or Asian company, like one of the hundreds examples:https://forums.malwarebytes.org/topic/165518-adware-digitally-signed/ What you have to do, if you want to maintain security, is to verify the hashes of the AirVPN clientyou are downloading, and the hashes are available just near the download button, you can't miss it.This will not only ensure that you download the trusted, unmodified installer, it will also mean thatevery time you upgrade it you can still rely on the new hashes that are published by the authors.The way software is distributed in other platforms, such as *nix, already have this imlementationfor years, and usually the package manager does the signature verification for you transparently.This process ensures integrity on much higher levels than just checking the issuer brand/email. So, to summarize, the code signing certificate only adds a cosmetic "trust", where the real trust shouldbe based on what you download, from which origin, and the best of course is - is this software reallyopen source and can be built on your own system, producing the same executable? (deterministic builds). 1 LZ1 reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
LZ1 672 Posted ... Thank you very much for that detailed explanation! That was excellent. I understand now.CA's seem quite useless, when put like that. But isn't there some sort of danger of impersonation? Like, couldn't someoneelse take AirVPNs brand name and start issuing malicious versions of their software, especially as the code for the software is open-source? Quote Hide LZ1's signature Hide all signatures Hi there, are you new to AirVPN? Many of your questions are already answered in this guide. You may also read the Eddie Android FAQ. Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you. Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily. Share this post Link to post
zhang888 1066 Posted ... They can.The higher danger is usually with bigger brands that have many distribution platforms.For example, it is really hard for popular P2P or music apps to verify their integrity withtheir potential users, since any *torrent client downloaded from some 3d party locationcan be bundled with adware/malware, just like happened before with CNET and SourceForge.AirVPN however has only 2 official locations, the SSL website and Github source tree. This is why you have to download it only from https://airvpn.org/windows or from Github,and then verify the hashes.Any other builds should be considered untrusted. 1 LZ1 reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
LZ1 672 Posted ... I see. Thank you very much :] Quote Hide LZ1's signature Hide all signatures Hi there, are you new to AirVPN? Many of your questions are already answered in this guide. You may also read the Eddie Android FAQ. Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you. Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily. Share this post Link to post
Not connected, Your IP: 3.21.246.53
Online: 26542 users - 322932 Mbit/s total BW