The code editor Notepad++ has released a revision of its automatic update mechanism. This change arises as a direct response to a recent security incident, where an attack compromised its servers and put users at risk. The new implementation seeks to prevent a repeat of a situation where malicious versions could be distributed through the program's own update system.
Double Lock and Cryptographic Verification Mechanism 🔒
The technical solution is based on a double lock system. Now, the process requires explicit user confirmation to proceed with the download and installation, adding a human interaction barrier. Internally, the cryptographic verification of the binaries has been strengthened. Each update must be digitally signed with two distinct keys: one from the developer and another from an external timestamping service, making it complex to falsify a version without access to both.
Updating Now Requires More Clicks Than Writing Hello World 😅
Users accustomed to the convenience of one-click updates may feel that the process now is like going through two different customs. First the program asks if you're sure, then the operating system interrogates you if you trust the signer, and finally you yourself must question whether you really need those new features. It's a small time price for security, although some already miss the innocence of when a simple Update didn't generate an existential reflection moment.