|Few proper updates recently; this is what happens when I'm programming hard on a serious project. Nobody wants to hear "some stuff worked and some other stuff didn't yet". I hope. However, some programmer blurbs are more interesting than others, and this is probably one such. Which isn't to say that it's interesting.|
Today, I was reminded that subverting downloads by server falsification is not an unused technique. Since my Robot Game will be doing automatic updating, I can't allow such server subversion - I don't want to leave it possible for my program to screw people's machines, even if it's also someone else's doing. There is no way to prevent the subversion at the server end. There is no way to detect it from the client, since a fake server can easily copy any responses the real server might make. What is possible, though, is making sure that the downloaded data files are the correct ones. This can be done using public-key cryptography, on the condition that the public key can be reliably transmitted to the end-user. Since the original copy of the software won't be downloaded using the software, it's not my problem if falsification has occurred before that point - the end user isn't running my program, it's nothing to do with me. So I can include the public key with the original distribution. The private key, used to sign the downloads, need never be on a server, since I can sign them before I upload them. Nobody else will be able to sign files in a way that the public key will verify. Thus any false servers will be able to supply only files which will be recognised as invalid, and remain unused. Security is maintained. Hoorah.