Updater URL - Updates server security

Request new features that you would like to see in the next version of Advanced Installer.
Post a reply

Updater URL - Updates server security

Postby hovhannest » Thu Sep 23, 2010 3:23 pm

Hello

I'm trying to minimize the vulnerability of the update server that hosts my updates (msi, exe) by limiting potential downloads only to updater.

As an example, let's consider that the following URLs (note they are rewritten) are used by updater and updates server,
updater URL : http://my_domain/downloads/product_name/updates/v15
license verification URL : http://my_domain/downloads/product_name ... fy_license

First of all the license verification URL is called by updater, and I'd like to pass some application specific token (security token) back to the updater along with success code after license verification process.

Afterwards, updater.exe starts actual downloading by calling my download URL and I'd like updater to pass my application generated token back to my application in order to verify that the request came from a valid updater (actually a client that passed verification....) rather than it was requested using browser...

Is there any such mechanism or something else that can help me to find a workaround?

Thank you in advance,
Hovhannes
hovhannest
 
Posts: 2
Joined: Thu Sep 23, 2010 2:43 pm
Top

Re: Updater URL - Updates server security

Postby Bogdan » Fri Sep 24, 2010 2:19 pm

Hi Hovhannes,

I'm afraid there is no predefined support in Advanced Installer for this.

What you can try to do is to simply check the user-agent that accesses the URL. Our updater has the user-agent "AdvancedInstaller".
Any other user-agents should be refused, to make sure the link can be accessed only by our updater.

Regards,
Bogdan
Bogdan Mitrache
Advanced Installer Team
http://www.advancedinstaller.com/
Bogdan
 
Posts: 2403
Joined: Tue Jul 07, 2009 7:34 am
Top
Post a reply

Return to Feature Requests

Who is online

Users browsing this forum: No registered users and 49 guests