Get the top HN stories in your inbox every day.
Dwedit
pibaker
How can the average 7zip user know which one it is?
Search results can be gamed by SEO, there were also cases of malware developers buying ads so links to the malware download show up above legitimate ones. Wikipedia works only for projects prominent enough to have a Wikipedia page.
What are the other mechanisms for finding out the official website of a software?
n4bz0r
There is normally a wiki page for every popular program which normally contains an official site URL. That's how I remember where to actually get PuTTY. Wiki can potentially be abused if it's a lesser known software, but, in general, it's a good indicator of legitimacy.
throwaway198846
So wikipedia is now part of the supply chain (informally) which means there is another set of people who will try to hijack Wikipedia, as if we didn't had enough, just great.
antisthenes
> How can the average 7zip user know which one it is?
I dunno, if you type "download 7zip" into Google, the top result is the official website.
Also, 7zip.com is nowhere on the first page, and the most common browsers show you explicitly it's a phishing website.
This is actually a pretty good case of the regular user being pretty safe from downloading malware.
pibaker
I feel I need to clarify my earlier comment. I was asking how can a user tell, in general, what is the legitimate website of a software, not just how to know what 7zip.com is malicious.
Are the search removals and phishing warnings reactive or proactive? Because if it is the former then we don't really know how many users are already affected before security researchers got notified and took action.
Also, 7zip is not the only software to be affected by similar domain squatting "attacks." If you search for PuTTY, the unofficial putty.org website will be very high on the list (top place when I googled "download putty.") While it is not serving malware, yet, the fact that the more legitimate sounding domain is not controlled by the original author does leave the door open for future attacks.
sedatk
> I dunno, if you type "download 7zip" into Google, the top result is the official website.
Until someone puts an ad above it.
TiredOfLife
> Also, 7zip.com is nowhere on the first page
In incognito window, for me, it's 3rd result
undefined
Lockal
Fails to load for me with: "The page was blocked because of a matching filter in uBlock filters – Badware risks."
Which is enabled by default in uBlock. And installing it is pretty much a standard suggestion for any web user.
harladsinsteden
How would you ensure that the "average user" actually gets to the page he expects to get to?
There are risks in everything you do. If the average user doesn't know where the application he wants to download _actually_ comes from then maybe the average user shouldn't use the internet at all?
KronisLV
> How would you ensure that the "average user" actually gets to the page he expects to get to?
I think you practically can't and that's the problem.
TLS doesn't help with figuring out which page is the real one, EV certs never really caught on and most financial incentives make such mechanisms unviable. Same for additional sources of information like Wikipedia, since that just shifts the burden of combatting misinformation on the editors there and not every project matters enought to have a page. You could use an OS with a package manager, but not all software is packaged like that and that doesn't immediately make it immune to takeovers or bad actors.
An unreasonable take would be:
> A set of government run repositories and mirrors under a new TLD which is not allowed for anything other than hosting software packages, similar to how .gov ones already owrk - be it through package manager repositories or websites. Only source can be submitted by developers, who also need their ID verified and need to sign every release, it then gets reviewed by the employees and is only published after automated checks as well. Anyone who tries funny business, goes to jail. The unfortunate side effect is that you now live in a dystopia and go to jail anyways.
A more reasonable take would be that it's not something you can solve easily.
> If the average user doesn't know where the application he wants to download _actually_ comes from then maybe the average user shouldn't use the internet at all?
People die in car crashes. We can't eliminate those altogether, but at least we can take steps towards making things better, instead of telling them that maybe they should just not drive. Tough problems regardless.
imglorp
Open source software will have a code repo with active development happening on it. That repo will usually link to official Web page and download places.
lukan
Not universal true. Open source just means that the code is avaiable, not that developement happens in the open. (But 7zip does have a github repo)
Someone
The fork with malware embedded could fairly easily apply most commits to the main repo in its public repo.
They could even have support pages that look real, by copying them from the legitimate site.
And the process of creating a repo that stays in sync with another fork can be automated, so, if needed, malware writers likely will do that.
rtcode_io
1. Go to the wikipedia article on 7-Zip
2. Go the listed homepage
undefined
cermicelli
Avoid downloading stuff of internet and avoid search engines.
In a post AI world asking how not be scammed is hard cause now everything can be faked.
Trust what you definitely know but still verify.
Especially in the next 5-10 years that's going to become the reality so I guess sit tight and prepare for the waves and sunamis of scams.
throwaway150
I tested with the 3 major browsers and all 3 block it as "Suspected Phishing". So looks like the system is working as designed.
Lookalike websites serving malware have always existed. So this isn't exactly news. But the browsers are blocking them like they should.
chalion
Weirdly, in Firefox 7zip.com is blocked but www.7zip.com isn't. If you type '7zip' in the address bar and then press Ctrl+Enter to go to the address, you'll get owned, because that key-combo adds the www at the beginning.
undefined
pentagrama
Yes, and I think this case gets somewhat more notoriety because the phishing site has the .com domain and the legitimate one has a .org.
Like it or not, .com adds perceived trustworthiness and works as a branding signal, especially in these times of VCs throwing large amounts of money at branding and buying 3 to 6 letter .com domains, but a small project like 7zip cannot afford that kind of expense.
mmh0000
This has been a long-standing problem with 7-Zip.
An article from 2018:
https://www.bleepingcomputer.com/news/security/fake-websites...
And uBlock Origin's "Badware" filter blocks it:
https://github.com/uBlockOrigin/uAssets/blob/master/filters/...
krypd0h
The links to the file downloads on 7zip.com all point to 7-zip.org. Example: https://www.7-zip.org/a/7z2501-x64.exe
Did they change it because of the negative publicity (Reddit) and will probably change back soon to the malware links?
chalion
Maybe that's how they don't get banned by their hosting provider. Once reports start coming in, they pretend to be a honest establishment.
ruicraveiro
As a Linux user, used to get all of my software either through the distro's repository or Flathub, having to download software from sites when I run Windows makes me feel really queasy.
FireInsight
winget ftw
tokyobreakfast
Does the 7-Zip author still refuse to digitally sign or even provide hashes of the official downloads? It's an extremely weird flex, he thinks it's a frivolous waste of time or something.
jsheard
He's always been an odd one, for a long time he refused to enable even basic hardening features like ASLR and DEP because they made the executables slightly larger. He eventually relented on some of those, but last I heard the more advanced mitigations like HE-ASLR, CFG and GS were still disabled.
mirashii
Even more, there are regularly security vulnerabilities patched in releases that don't get CVEs and don't get any mention in patch notes, there are no incremental commits between releases, just giant code dumps. There's no changelog linked on the 7-zip.org website. There's no auto-update or update check mechanism, which is problematic for a project with regular CVEs whose primary purpose is handling untrusted inputs.
7-zip is not a serious project and its use should be strongly discourged.
reddalo
I migrated from 7-Zip to NanaZip, a fork with modern Windows features that the original developer refuses to implement.
baal80spam
Whenever I see "modern Windows experience", it always turns to be worse than the original one.
margalabargala
I take your point, and usually you're right, but in this case "modern features" includes things like having an "extract" button show up when you right click an archive file in Explorer.
deltastone
I would agree normally, but this one is a nice change and upgrade, actually.
dlcarrier
Well yeah, it says "modern" not "better".
Modern Windows and OS X and Android and iOS are all worse than the old ones.
TiredOfLife
Windows 11 has 7-zip support built in.
Already__Taken
No update for a year for something that opens weird files from the internet is a little scary, even just dependency changes. Not that 7-zip was ever any better at that.
giancarlostoro
Do people even double check installers are digitally signed? There's so much open source stuff out there that is not digitally signed, most people might not even notice.
tokyobreakfast
Windows has displayed a big scary orange prompt for at least the last decade when it isn't. More like 15-20 years IIRC.
But I'm sure people blindly click through the "Unknown author" prompt just as they would ignore a certificate error.
giancarlostoro
Like I said, theres a LOT of open source projects that show that prompt. Signing an MSI involves having a valid CA certificate, which AFAIK is not free, and goes beyond the budget of most projects.
rustyhancock
Orange? It's a blue warning isn't it? Is this how one of us finds out he's colour blind?
ozim
I use winget or homebrew, those tools do so for me and if something doesn't match they show an error.
fuzzy2
Neither WinGet nor Homebrew packages/formulae provide authenticity checks. They have integrity checks for file transfer. That’s it. Where did the file come from when it was entered into the respective repository? No statement.
Whether Authenticode provides a sufficient authenticity check is yet another question, of course. Still, file integrity verification is just a side-effect.
wowczarek
The .com site serving malware aside, it's how people even get to downloading this. PC builder [...], USB stick [...], YouTube tutorial for a new build [...] instructed to download. Makes me wonder, is this how "PC builders" build PCs, or was this a regular user person. Archive managers are such basic software that I'd think surely someone would keep a stash of (trusted) installer files for the basic tools to be installed in a new environment. At least that's what we used to do, like, 25 years ago. Or use choco, winget or whatever. Malware hygiene habits remain almost unchanged - don't click that link.
usr1106
It says the code signing cert has been revoked by now.
How does verification work? Only at installation time or will it prevent running the installed files later if installation happened when the cert was still accepted?
Linux user asking out of curiousity...
bloaf
I've started using winget to install my apps for exactly this reason. I can't keep track of every url for every piece of software.
ptx
Is that safe? Microsoft's policy [1] seems to say that anyone can publish an update to a package as long as it passes "an automated process" which checks that it's "not known to be malicious".
[1] https://learn.microsoft.com/en-us/windows/package-manager/pa...
fuzzy2
It’s not. And it gets worse. A WinGet package can suddenly be introduced for software you have already installed and then the next "update all" will install whatever. Could be something completely different!
WinGet is not only unreliable, it is but one step removed from Remote Code Execution as a Service. Well, maybe one-and-a-half, if package repo maintainers were to pay attention, but that’s not realistic.
bloaf
It would have prevented both this 7zip attach and the recent notepad++ one.
undefined
Bender
The only solutions for the malicious domain would be lawsuits or hactivism. As others have said it is blocked in uBlock by default which everyone should be using at a bare minimum.
pendingrunner
I usually check some other reliable source for official web address. Earlier I used Wikipedia. Recently found out Softorage, so using that nowadays.
Get the top HN stories in your inbox every day.
7zip.com has never been the official website of the project. It's been 7-zip.org