This project has moved. For the latest updates, please go here.

Auto-Updater

Topics: Feature Requests
Oct 12, 2015 at 11:31 AM
Can we add an auto-updater to VeraCrypt? Nowadays we have to check update manually.
Oct 16, 2015 at 2:03 PM
If Mounir decides to implement this feature, I would suggest the following:
  1. A configuration option "Check for updates" which is not enabled by default to protect users that are in very restrictive countries that would monitor for certain software that "phones home".
  2. A configuration option for the frequency of checking for updates such as "Check once a : Day, Week, Month".
  3. Notify only versus automatically update software.
Regarding automatically updating the software, I would be concerned about man-in-the-middle attacks for automatic software updates even if VeraCrypt attempts to automatically validate that the binaries have not been altered. Also, upgrading the software requires a reboot which currently can cause issues if you attempt to delay the reboot.

https://veracrypt.codeplex.com/workitem/215
Oct 17, 2015 at 11:50 AM
Edited Oct 17, 2015 at 11:54 AM
Is it possible that some website written in the Veracrypt program (i.e. idrix.fr) can "see" where some visitor comes from if they clicked it?

I don't mean just the IP address, but some serial or something embedded in the software.

Could this be a possible vulnerability or some sort of possible attack?

Provide a fake Veracrypt installer with a fake website address and voilá! Hacked.
Oct 17, 2015 at 12:08 PM
TrueCrypt in Russia... I think this can be solved by verifying digital signature.
Oct 17, 2015 at 12:24 PM
Enigma2Illusion wrote:
If Mounir decides to implement this feature, I would suggest the following:
  1. A configuration option "Check for updates" which is not enabled by default to protect users that are in very restrictive countries that would monitor for certain software that "phones home".
  2. A configuration option for the frequency of checking for updates such as "Check once a : Day, Week, Month".
  3. Notify only versus automatically update software.
Regarding automatically updating the software, I would be concerned about man-in-the-middle attacks for automatic software updates even if VeraCrypt attempts to automatically validate that the binaries have not been altered. Also, upgrading the software requires a reboot which currently can cause issues if you attempt to delay the reboot.

https://veracrypt.codeplex.com/workitem/215
I think we can just prepare a Restrictive Country List and just check the system location & language settings. I think the MitM problem can be solved by verifying digital signature. However, it's fool to trust some API like WinVerifyTrust(). Some company has its own CA and it will be installed to all of the computers. This will be more dangerous if a computer joined in a domain. We should hard code the public key of IDRIX's certificate and verify it. If we need renew or change the certificate, not only the new certificate must be valid, but new certificate should be signed by the old one.
Oct 17, 2015 at 3:46 PM
Or one of the government agencies redirects traffic from the various VeraCrypt sites to replace the download with their compromised version with fake validation. :-)
Oct 19, 2015 at 3:02 AM
Enigma2Illusion wrote:
Or one of the government agencies redirects traffic from the various VeraCrypt sites to replace the download with their compromised version with fake validation. :-)
If the updater only trust certificate from IDRIX, the only possible way to release a working fake version is to stole or force the developers to leak the private key. However, the latter one cannot be done silently. And then we will all become aware of that :-)
Oct 19, 2015 at 2:20 PM
After reading various articles on the USA's NSA secret programs from Edward Snowden, I would not underestimate their ability to circumvent authentication in the software by performing a man-in-the-middle attack with modified binaries and certificates. I know that sounds paranoid, but the lengths the NSA and other secret agencies will perform to achieve their objective is very disturbing when it is wholesale compromises or surveillance and not an individual being targeted due to an investigation with a court order approval.

Thomas717 wrote:
I think we can just prepare a Restrictive Country List and just check the system location & language settings.
.
This creates an unnecessary burden to determine which countries should be on/off a restrictive list. For backward compatibility and user control, make the default option to not auto check/upgrade. You should have to opt-in to have those features.
Oct 20, 2015 at 5:40 AM
Enigma2Illusion wrote:
After reading various articles on the USA's NSA secret programs from Edward Snowden, I would not underestimate their ability to circumvent authentication in the software by performing a man-in-the-middle attack with modified binaries and certificates. I know that sounds paranoid, but the lengths the NSA and other secret agencies will perform to achieve their objective is very disturbing when it is wholesale compromises or surveillance and not an individual being targeted due to an investigation with a court order approval.

Thomas717 wrote:
I think we can just prepare a Restrictive Country List and just check the system location & language settings.
.
This creates an unnecessary burden to determine which countries should be on/off a restrictive list. For backward compatibility and user control, make the default option to not auto check/upgrade. You should have to opt-in to have those features.
Yes, you're right. I've do same things like you. After my reading, I think NSA is not the Big Brother in 1984 and they're the Architect in the Matrix. Till now I even suspect they have broke the RSA which is one of the base of all the certificates, for that algorithm has a long history. Exactly, they has this ability and they did things like that. The design of S-Box in DES didn't be published when DES is released. When people was considering whether there is a backdoor hidden in the S-Box or not, the bigger problem is NSA just wanted to hide a new attack way called DC attack, at least the people today believe this. They keep this finding many years and then other people found the same method and published. You known, if NSA found a method to crack RSA in a possible Complexity, they won't let us know. Because of such a long time, this is totally possible. We even needn't to talk about the ECDRBG backdoor in NIST...

However we have nothing to solve this problem. We're working on the computer and network which is designed by them directly or indirectly. All things we can do is to decrease the risk of it. We can use not only traditional RSA algorithm to make the certificate, we can make multi-way like ECC and so on. As far, this is all the things we can do. :-(
Jul 1, 2016 at 5:34 AM
If you came to this thread and want update notifications, please vote for the feature in the Issue Tracker :)

https://veracrypt.codeplex.com/workitem/478