pegasus
Well-known member
In my opinion the worse problem with this has nothing to do with license verification or piracy. But with a browser-based cross-site install option like this, an admin unknowingly opens himself up to a man-in-the-middle attack. If this occurs, an upstream party can modify (or completely replace) the incoming XenForo files with a virus or other malicious code.
Any one-click solution, on both the verification and the actual transfer, absolutely needs to use a secure transport. Thankfully the XenForo customer area has one in place, so it's just a question of writing the right curl/fsock code... But since users have brought up the AddOnInstaller mod - this does not use an encrypted connection.
Even if you upload your files the old fashioned way, use SFTP, SCP, or something like that. Use private keys. Avoid using wget from SSH as much as you can. As someone who fell victim to a MITM attack in December, I can tell you the results are not fun at all.
Any one-click solution, on both the verification and the actual transfer, absolutely needs to use a secure transport. Thankfully the XenForo customer area has one in place, so it's just a question of writing the right curl/fsock code... But since users have brought up the AddOnInstaller mod - this does not use an encrypted connection.
Even if you upload your files the old fashioned way, use SFTP, SCP, or something like that. Use private keys. Avoid using wget from SSH as much as you can. As someone who fell victim to a MITM attack in December, I can tell you the results are not fun at all.