That’s what they say they rolled out, after: “Within Notepad++ itself, WinGup (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer”
we immediately transferred all clients’ web hosting subscriptions from this server
It looks like the binaries and the update check script were put on a simple web space. If that is the correct conclusion to draw from this excerpt, then it’d be rather strange to have the keys on that server as it’s very unlikely that it was used to produce any builds.
So the solution would have been an SSL certificate check on the client side.
That’s what they say they rolled out, after: “Within Notepad++ itself, WinGup (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer”
Can’t tell if that would have helped
They could have just piped the binaries though the same server since they had this level of access. They would have had months to figure it out.
Oof, I thought it was just a DNS hijack. If they had access to the server, it’s game over regardless.
It’s not game over regardless if the updater checks a signature of the update installer. Them it wouldn’t run an installer by someone else.
That’s true, assuming they didn’t also put their private keys on the server
As the hoster wrote this:
It looks like the binaries and the update check script were put on a simple web space. If that is the correct conclusion to draw from this excerpt, then it’d be rather strange to have the keys on that server as it’s very unlikely that it was used to produce any builds.