[asherkin]

You'll need to attach a zip file of sources for that binary.

SteamTools already support HTTPS, cURL should as well without needing that flag unless you're talking to broken servers.

[Nefarius]

Added source code.

Like I said; Github as an example will not handshake with clients using protocol version lower than SSL v3 (TLS v1) and the default option set in cURL will just cancel the request with an error. These are not "broken" servers but server who ensure they won't leak information to older clients supporting only old and probably vulnerable protocol versions.

Ah, I stand corrected, after a bit of research there really seems to be a problem with Github not graciously downgrading from TLS 1.0/1.1/1.2 to SSLv3 automatically, how odd!

[Lordearon]

Thank you, I'm just curious about the case where DNS can't be guaranteed

with all the router hacks I read about these days

[Nefarius]

If you consistently use SSL and your Clients strictly validates the certificate against an official CA (VeriSign, COMODO, StartSSL and so on) you are pretty safe against DNS spoofing attacks (I'm simplifying it a bit, in reality it's more complicated but I won't go in to deep) because the target host name has to match the certificates "distinguished name". If someone on your network gained access to the DNS system your server uses to resolve names and redirects traffic from your client to himself (faking the real update website) this validation would fail because only the real owner of the official update site has the corresponding private key and no connection would be established. This only works if the private key really remains secret (which can't be assured for old certificates since the heartbleed disaster) and the client won't skip the peer/host validation.

I hope this wasn't worded too complicated, long story short: SSL also protects against spoofed DNS requests (as long as it's set up properly)

[Lordearon]

to get VeriSign certs you have to pay

I think it would be way easier if there is an RSA keypair, the plugin author keeps the secret key and generates a signature for the updater plugin to check with the public key. When you install a plugin, you provide the author public key with it so you can validate the downloaded plugin comes from the right source.

a dns hack won't be able to insert evil soucemod addons

[Nefarius]

Quote:

Originally Posted by Lordearon to get VeriSign certs you have to pay

That's not a valid excuse if you are serious about what you are doing A three year wildcard(!) multi-domain certificate from StartSSL costs 60$/2yrs! I use them since 2008 if I remember correctly and it works perfectly in all (modern) browsers and other clients.

Signing the files would need an implementation for SourceMod to check (like an OpenSSL extension) and a few modifications on Updater, while HTTPS would ensure transport security and is easier to implement as long as people use SteamTools or cURL.

[Dr. McKay]

Quote:

Originally Posted by Nefarius That's not a valid excuse if you are serious about what you are doing A three year wildcard(!) multi-domain certificate from StartSSL costs 60$/2yrs! I use them since 2008 if I remember correctly and it works perfectly in all (modern) browsers and other clients. Signing the files would need an implementation for SourceMod to check (like an OpenSSL extension) and a few modifications on Updater, while HTTPS would ensure transport security and is easier to implement as long as people use SteamTools or cURL.

Three year two years?

I think that using a type of signature system would work better. Requiring SSL is not compatible with Updater as it is now, since the Socket extension doesn't support it. Signatures would also allow for binaries supplied from other sources to be linked back to a trusted key.

[Nefarius]

Quote:

Originally Posted by Dr. McKay Three year two years?

You pay once for your personal verification (so they know you are really you) and then you can request a certificate which will stay valid for two years. If I remember correctly you can expand to three years with one additional validation step (costing a bit more ofc.).

As for the signing of files; it's possible to achieve with OpenSSL:

1. Generate new private key called nefarius.key (this file must be kept secret!)
   • openssl genrsa -out nefarius.key 2048
2. Extract public key nefarius.pub (this file gets distributed to the clients)
   • openssl rsa -in nefarius.key -pubout > nefarius.pub
3. Create a hash of your plugin file
   • openssl dgst -sha256 plugin.smx > plugin.sha
4. Sign the hash with your private(!) key
   • openssl rsautl -sign -inkey nefarius.key -out plugin.sha.rsa -in plugin.sha
5. Transfer nefarius.pub, plugin.smx and plugin.sha.rsa to your client(s)
6. Client verifies signed hash file
   • openssl rsautl -verify -inkey nefarius.pub -in plugin.sha.rsa -pubin > plugin.sha
7. Client generates hash of downloaded plugin.smx
   • openssl dgst -sha256 plugin.smx > plugin.sha.tmp
8. Client compares contents of plugin.sha and plugin.sha.tmp
   • If they don't match, the file has been manipulated. Discard file, log action, call police etc.
   • If they match, accept and install the file

A plugin using this may use the System2 extension to run the openssl command. This requires openssl being present in the system path ofc. or a static build of openssl is shipped with the plugin.

[Powerlord]

Quote:

Originally Posted by Nefarius or a static build of openssl is shipped with the plugin.

...for all 3 OSes SourceMod supports.

[Nefarius]

Never mind, I think I misunderstood your comment. Ofc. a build compatible with all operating systems

Linux will - in most cases - not be a problem, I just tested it with a static build for Windows: