18
Views
10
Comments
Solved
[BigZip] May I know if the zip output is encrypted (rather than just password-protected)?
Forge component by Carlos Alfaro
10
Published on 14 Dec 2020
Application Type
Traditional Web

May I know if the zip output is encrypted (rather than just password-protected)?

mvp_badge
MVP
Rank: #19
Solution

Hi YS,

As far as I'm aware, the contents of a password-protected ZIP files are always encrypted... but maybe not the way you are expecting:

  • a ZIP file is a container that holds other files and folders inside (in a compressed format)
  • password-protected ZIP files encrypt individual files inside, but the container itself is not encrypted, allowing access to the list of files themselves along with their metadata and potentially even allowing a malicious agent to replace files undetected.

That being said, this is general of all ZIP files (regardless of the applications or components that generate or manipulate them).

Do note that the component's documentation explicitly mentions this:

"Password - optional password for protecting the ZIP archive. If you specify a password, the password is needed to extract a file from the archive. Note that regardless of whether a password is specified, the file names are always visible (e.g. in Windows), so it's not a full protection."

Rank: #2318

So that means a password-protected BigZip file HAS persistent data-level encryption? Thanks (:

Rank: #25483

Any idea what's the encryption algorithm used here?

mvp_badge
MVP
Rank: #2

Hi Yappy,

BigZip is using the Ionic Zip library, the documentation of which can be found here. According to the documentation, by default the "PKZip 2.0 ("Weak") encryption is used". It's possible to specify a different encryption, but BigZip doesn't do that, so that default is used.

Rank: #25483
Rank: #25483


Is there any way for us to change the encryption method? For example, change it to AES.

mvp_badge
MVP
Rank: #2

There is currently not, but if you need it, I could add it to the component and publish a new version.

mvp_badge
MVP
Rank: #2

Ok, I went ahead and already added it. You can get the latest version of BigZip (2.1.0) from the Forge, which now include actions to change the compression level, password and encryption algorithm. I hope this helps!

Rank: #2318
mvp_badge
MVP
Rank: #2

You're most welcome :). Happy coding!