I wanted to quickly share a brief cautionary tale with those of you visiting us about the wild and wooly world of free software distribution and redistribution. Of course, coming from me, that will likely mean it will be nowhere near as quick or as brief as I originally intended, but at least I’m going to make an effort to keep it that way.
Over the past several weeks I’ve received a number of e-mails from several free software distribution sites. I won’t mention the names of these sites, nor will I link to them, to protect the innocent (or guilty, depending on your point of view). In each of these cases, the sites in question sent me a brief e-mail “congratulating” me on the inclusion of my software (both Cryptnos and its functional ancestor, WinHasher) into their download database. I was assured that my software had been “tested in [their] labs using several industry-leading security solutions and found to be completely clean of adware/spyware components”. (Well, that’s good to know. I would have never known that if they hadn’t told me.) I was presented with a nice graphic “to let [my] users know about this certification” as well as links to where they had “mirrored” downloads of both applications.
What bothers me about these notifications is that they were unsolicited. I did not contact any of these sites and request inclusion into their databases. That isn’t necessarily a problem; both Cryptnos and WinHasher are released under a GPL license, so redistribution is not only permitted but encouraged. What bothers me is that both applications are, from various standpoints, security applications and that the act of downloading security software, even when Open Source, from a third-party introduces risks that I’m not sure I’m comfortable asking my users to take.
Certainly I could take the assurances of these download sites at face value and assume that their download mirrors are secure and provide unaltered versions of my software. However, as someone who writes a security software product, that would be rather naive assumption to make. How can I be certain my application has not been compromised once it has left my server? While I have downloaded Cryptnos from at least one of these sites and compared its SHA-1 digest to that from our Google Code site, I have not yet been able to do so from any of the others, and I likely won’t be able to do so for every single release. For that matter, how am I to know it hasn’t been altered after I ran this test? Perhaps I am being overly paranoid, but in the realm of computer security, paranoid is the right frame of mind.
So I wanted to officially go on record by stating that the only official place to download Cryptnos releases is at our Google Code site. All download links on this site point to the Google Code site, both to conserve our bandwidth and to consolidate download count numbers. If you download Cryptnos from another site, you do so at your own risk. We cannot validate and authenticate every third-party download site, especially those we do not know about. You should always compare the cryptographic digest of these downloads against the digests posted here or at Google Code or, better yet, you should check it against the GnuPG digital signature posted for each release. If the digest or signature does not match, the download should not be trusted. This should go for all Cryptnos downloads, including those you may download from here. Since the digests and signatures posted here and at Google Code are “official”, they can be used to validate or authenticate third-party downloads. If you determine that a third-party appears to be trustworthy, then you may at your discretion continue to download Cryptnos from there in the future. However, you should still validate each release with the official one here to make sure you are getting what you think you are getting.
While we are grateful for the increased exposure and traffic these third-party sites have given us, we do so with an air of caution. This is only one official place to get Cryptnos, and everywhere else should be approached with caution until they have been vetted.News