This is a minor issue but it's been bugging me for months.
1) When I click to download the new PT version in the popup when PT starts, I get directed to a HTTP (unsecured) site in my browser. I then change http:// to https:// in the address bar and end up at the HTTPS PokerTracker site (secure). However, when I then click to download the EXE file, I'm still redirected to HTTP because your ptrackupdate.com server doesn't seem to have HTTPS enabled.
2) The EXE program file is digitally signed using SHA-1 hash. SHA-1 has been broken a couple of years ago using <$100K worth of cloud computing.
These are not big problems, AFAIK hackers are not going around faking SHA-1 signatures, but considering how cheap this has become and how rich targets poker players are, I think fixing this problem is cheap and has unlimited upside in the years to come. Fixing either of these issues will fix the whole problem and all it takes is a SSL certificate
Security nitpicking
Moderators: WhiteRider, kraada, Flag_Hippo, morny, Moderators
2 posts
• Page 1 of 1
Security nitpicking
by LethalIndustry » Sat Apr 28, 2018 8:48 pm
- LethalIndustry
- Posts: 3
- Joined: Sun May 06, 2012 10:33 am
Re: Security nitpicking
by APerfect10 » Mon Apr 30, 2018 11:01 am
We take security very seriously and it has always been at the top of our priorities. We always try to meet and exceed current security industry standards and in most cases we have. However, on occasion, smaller issues such as these two can slip through the cracks. While these two issues are minor; you are absolutely correct that they should be changed to meet current industry standards.
1. ptrackupdate.com does have an SSL certificate; issued by Digicert. I have switched over all downloads of PT4 to use SSL.
2. Our code signing certificate, also issued by Digicert, which we use to sign all of our applications; does use sha256. Unfortunately, when the new sha256 hashed code signing certificate was issued, instructions and checks were not put in place upstream on the build server when the code was signed by Microsoft's code signing tool. Microsoft's code signing tool, unless passing in a flag to instruct it to use a different hash algorithm, defaults to SHA1. We are in the process of updating this and I expect that all future releases signatures will be sha256 hashed.
Thank you for bringing this to our attention.
Best regards,
Derek
1. ptrackupdate.com does have an SSL certificate; issued by Digicert. I have switched over all downloads of PT4 to use SSL.
2. Our code signing certificate, also issued by Digicert, which we use to sign all of our applications; does use sha256. Unfortunately, when the new sha256 hashed code signing certificate was issued, instructions and checks were not put in place upstream on the build server when the code was signed by Microsoft's code signing tool. Microsoft's code signing tool, unless passing in a flag to instruct it to use a different hash algorithm, defaults to SHA1. We are in the process of updating this and I expect that all future releases signatures will be sha256 hashed.
Thank you for bringing this to our attention.
Best regards,
Derek
- APerfect10
- Site Admin
- Posts: 4450
- Joined: Sat Dec 08, 2007 6:03 pm
2 posts
• Page 1 of 1
Return to PT4 Feature Requests
Who is online
Users browsing this forum: No registered users and 6 guests
