GitLab

What's the problem?

When 7z is available, File Roller uses AES-128 to encrypt files in the ZIP archive (without 7z, it uses ZipCrypto). From a security standpoint, this choice of an algorithm is all well and good.

However, the problem is that many other ZIP unarchivers do not support AES, and cannot read files from AES-encrypted archives. Notable examples are Windows's native ZIP handler and Info Zip, and both combined have a quite large user base.

This situation can cause a very difficult compatibility issue for users.

Example

Think about the following case:

1. Alice is using Ubuntu as her personal computer.
2. One day, she installed p7zip-full package, since it was in the dependency list of some software she wanted to use.
3. Several days later, her friend Bob requested her to send him the photos of the New Year's party.
4. So she created a ZIP archive using File Roller, attached a password to it, and sent the created archive.
5. Now Bob, who uses Windows 10, cannot open the archive.

This creates a very bad user experience, especially because:

1. Alice has no clue why her ZIP archives become unreadable to other people.
   • To trace the root cause, she practically needs to read the source code of File Roller.
   • (BTW this is exactly what I did to troubleshoot my friend)
2. All this happens "behind the curtain".
   • At the very least, it is not obvious that installing 7z makes subsequent ZIP archives incompatible.
3. There is practically nothing Alice can do to fix the issue.
   • Since the choice of AES-128 is hard-coded, recompiling is required to alter the behaviour.

Solution

The best idea I can think of for now is to change the default encryption method to ZipCrypto (patch attached).

Although this method is weak and old, I think it is the least likely way to cause problems in most user environments.