"If you can intercept and change this traffic, you can redirect the download to any location it appears by changing the URL in the property. This traffic is supposed to be over HTTPS, however it appears you may be [able] to tamper with the traffic if you sit on the ISP level and TLS intercept. In earlier versions of Notepad++, the traffic was just over HTTP."
"The downloads themselves are signed-however some earlier versions of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign. Effectively, there's a situation where the download isn't robustly checked for tampering. Because traffic to notepad-plus-plus.org is fairly rare, it may be possible to sit inside the ISP chain and redirect to a different download. To do this at any kind of scale requires a lot of resources."
Update traffic for Notepad++ can be intercepted and altered at the ISP level using TLS interception, allowing downloads to be redirected by changing URL properties. Earlier releases used HTTP or a self-signed root certificate, weakening verification; release 8.8.7 reverted signing to GlobalSign but download integrity checks remain not robust. Search results and extensions are saturated with trojanized copies and malicious plugins, increasing risk. Users should manually install official version 8.8.8 or higher from notepad-plus-plus.org. Organizations should consider blocking notepad-plus-plus.org or prevent gup.exe or notepad++.exe from accessing the internet, though such measures may be impractical for many.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]