Convert ZIP to BASE64 for d/l

[Wolfgang Orth]

Hello all,

my plan is to make my program a Webclient, that the admin can check the option to look for for the latest version and possibly download the ZIP from my webserver.

However, in some networks the download of binary files is prohibited or they do a Deep Inspection, whether there is an EXE hidden inside the ZIP and then cancel the download for security reasons.

Would it be a viable "workaround" to convert the ZIP into a BASE64 encoded TXT, storing it on the webserver? Then, when the file has been d/l successfully, the webclient converts it back to a ZIP?

Is this a method to fly under the radar?

Thanks in advance,
Wolfgang

[Bruce]

Hi Wolfgang,

>> my plan is to make my program a Webclient, that the admin can check the option to look for for the latest version and possibly download the ZIP from my webserver.

This is easy to do, but it does expose you to malware if you don't have appropriate safety controls in place. Especially if the program updates automatically. Personally I'd recommend something like SafeUpdate if you want to go this route.

that said;
>> However, in some networks the download of binary files is prohibited or they do a Deep Inspection, whether there is an EXE hidden inside the ZIP and then cancel the download for security reasons.

That's true. If the network policy prevents this sort of downloading, and they have specific proxies in place to prevent it, then I think you should respect that. If they want to allow your program to download exe's then they can adjust their policy to do that. Allowing people to circumvent this protection is not usually ideal.

>> Would it be a viable "workaround" to convert the ZIP into a BASE64 encoded TXT, storing it on the webserver? Then, when the file has been d/l successfully, the webclient converts it back to a ZIP?

yes, although it's seldom needing to be this complex. Just renaming the Exe to .Dat is usually sufficient. Base 64 will make it at least 25% bigger, so probably not my first choice.

cheers
Bruce

[Wolfgang Orth]

Bruce,

actually i agree with you.

My aim is to make it as easy as possible for the user (admin in this case). Setting a checkmark to "Download updates" and he is done.

On the other side, we could expect from an admin to alter the allowances, if he wants to use this option.

Safeupdate would be nice, but not needed in this case, as the Update will only be downloaded. The actual update process has to be started intenionally by the admin. It can't be done automatically, as its about hospitals.

So, in general it would be possible, but its better to play with open cards.

Thanks for your response,
Wolfgang

[Bruce]

Hi Wolfgang,

>> Safeupdate would be nice, but not needed in this case, as the Update will only be downloaded. The actual update process has to be started intentionally by the admin.

How will the admin determine that the download hasn't been altered if it is not signed?

On the up side, since they are doing it manually you'll only compromise one, or a few, hospitals at a time, and not your whole client base. So I guess it all depends on how much you value your customers and reputation.

cheers
Bruce

[Wolfgang Orth]

The Install.EXE is created with SetupBuilder and will be code-signed.

In addition, the Admin will be notified by e-mail, that a download has taken place and is waiting at X:\whatever\the_new_download....

This notification mail will also have MD5-hash to compare.

You do not think that this is sufficient?