WoWInterface UI Manager

[Cairenn]

Recently Shadowd uploaded a project to make it easier for authors to upload updates for their mods. Now it’s the end-users’ turn.

The WoWInterface UI Manager is a project by Shirik that has been going on for nearly a year. It's a tool designed to help you keep track of installed addons, and assist in updating them quickly and easily. The UI Manager uses an internal API of WoWInterface so you can be sure it will continue to work even when site layout changes or if you choose a new skin.

Major Features

* One-click Check allows the UI Manager to run through all of your addons quickly without any intervention. Any addons that do need to be updated will wait for your approval before continuing.
* Multithreaded design allows for maximum use of your internet connection, processing complex compression for backup files while downloading other files at the same time.
* Connection to the WoWInterface user database to retrieve your favorites list.
* Automatic backups before every install
* All updates are compared against MD5 hashes before being installed to help ensure security.

Download Choices
This is a portable program; it works on Windows, Linux & Macintosh. There is one version for Windows users and another for Linux & Macintosh users. See the file description page of the version that is appropriate for you for further details, requirements and directions.

[Polarina]

MD5 sums are very weak when attempting to prevent malicious modifications of files. There even exist a document describing how to modify a file intentionally and having both files share the same MD5 sum.

[Layrajha]

Originally Posted by Polarina MD5 sums are very weak when attempting to prevent malicious modifications of files. There even exist a document describing how to modify a file intentionally and having both files share the same MD5 sum.

While you're correct, I think that this MD5 here is about checking the the addon didn't get corrupted before the download. If someone wanted to create an evil addon that does whatever evil thing addons can do (as in, hmm, nothing huge anyway, I believe ), and to have people download it instead of the one they want to download, he'd have to hack wowinterface.com before even considering the MD5 check part. And if he does, he'll have succeeded uploading malicious content to wowinterface.com, so the few people that use MD5 check won't be a real problem.

I mean, I think the MD5 part is really irrelevant to the security aspect here. It's just a little tool to tell you that you've certainly downloaded the good file, unless wowinterface's just been hacked (in which case the hacker could have changed the MD5 hash file too, anyway ).

[Shirik]

Originally Posted by Polarina MD5 sums are very weak when attempting to prevent malicious modifications of files. There even exist a document describing how to modify a file intentionally and having both files share the same MD5 sum.

While MD5s have been proven to be not completely secure, that doesn't mean that the step should not be taken. Please take note that this is not the ONLY step that is taken (the server also performs its own checks as well, that the UI Manager does not see), but it is an additional one. There is no valid reason to skip the checking of the MD5 if it's available.

Rest assured, there is a lot more going on than just an MD5 verification. You just don't see it, because it's all on the server

[Cairenn]

I have edited the 3 immediately preceding posts to remove the link to the document that Polarina was discussing. I do not appreciate people posting links to get around security measures. Polarina, if you do it again, I'm removing you from the site. Consider this your warning.

[Kaomie]

Originally Posted by Polarina MD5 sums are very weak when attempting to prevent malicious modifications of files. There even exist a document describing how to modify a file intentionally and having both files share the same MD5 sum.

This is why you would notice I included both the MD5 and the exact file size of the archive on my addon page. Although this still cannot prevent MD5 collisions from happening, it makes tampering with the file a little bit (not much) harder (you cannot use basic arbitrary payload for instance, and provided the initial archive is not seeded you have to find ways to make the room necessary to inject your malicious code without impacting the visible content of the actual archive).

[instant]

I'd be more afraid that the updater gets haxx0red and ninjas your login than the addons it updates, worst thing they can do is delete all your items (which would surely suck).

[Shirik]

Originally Posted by instant I'd be more afraid that the updater gets haxx0red and ninjas your login than the addons it updates, worst thing they can do is delete all your items (which would surely suck).

Naturally that's something we've been worried about too, and that's one of the reasons we made the security changes on this site that we did. You should most certainly check the MD5 of the file before running the setup. On top of that, several features are running behind the scenes to monitor this file (as well as the others on WoWI for that matter) and will not allow you to download it if there is a discrepancy.

On top of that, an automatic update feature for the updater itself is planned in the not-too-distant future. The reason it is not in yet, and the reason it is taking me so long to work on it is because of security. One of the ways I intend to uphold security is with a 15630 bit RSA signature which will be sent along with the update, and the public key will be posted both on this server and on one of my own, which will be completely detached from WoWI. If the two public keys do not match, or the public key cannot verify the signature, then it won't update. (Just so you know, according to RSA Security, 2048-bit keys are predicted to be safe until 2030. I took it the next step. RSA has no prediction for a 15630 bit signature, but we can assume it's a long time.)

[Cairenn]

Originally Posted by instant I'd be more afraid that the updater gets haxx0red and ninjas your login than the addons it updates, worst thing they can do is delete all your items (which would surely suck).

That shouldn't be able to happen, since the login it asks you for is your login for this site, not your WoW login.

[instant]

Originally Posted by Shirik Naturally that's something we've been worried about too, and that's one of the reasons we made the security changes on this site that we did. You should most certainly check the MD5 of the file before running the setup. On top of that, several features are running behind the scenes to monitor this file (as well as the others on WoWI for that matter) and will not allow you to download it if there is a discrepancy. On top of that, an automatic update feature for the updater itself is planned in the not-too-distant future. The reason it is not in yet, and the reason it is taking me so long to work on it is because of security. One of the ways I intend to uphold security is with a 15630 bit RSA signature which will be sent along with the update, and the public key will be posted both on this server and on one of my own, which will be completely detached from WoWI. If the two public keys do not match, or the public key cannot verify the signature, then it won't update. (Just so you know, according to RSA Security, 2048-bit keys are predicted to be safe until 2030. I took it the next step. RSA has no prediction for a 15630 bit signature, but we can assume it's a long time.)

Thanks for clarification. Nothing can be 100% secure, but it seems like we will be close to it with that

Know of any MD5 security verifiers that can be used as a plugin to Firefox or similar, that automatically validates the downloaded file with the MD5 you have in your clipboard, or entered?

[Shirik]

Originally Posted by instant Thanks for clarification. Nothing can be 100% secure, but it seems like we will be close to it with that Know of any MD5 security verifiers that can be used as a plugin to Firefox or similar, that automatically validates the downloaded file with the MD5 you have in your clipboard, or entered?

Personally, I use openssl to do it for me. The command would be:

Code:

dgst filename.msi

However this is a bit of a complicated tool to use and many people don't like command line interfaces. There are something on the order of a thousand different MD5 verifiers. Really you can just go to google and type in "MD5 checker" and get a good result almost immediately. Unfortunately I don't see anything as a firefox plugin, though. All I see are standalone programs.

Good luck,
-- Shirik