I would like to add a suggestion: As far as I can see the keys will be shown and stored in the clear.

From my practical experience there are several situations where you use your own key for client pages or nonsalaried work (for example for a club). And you are not always able to hide it using user access.

This will be a problem with normal keys, but a critical problem if those keys are related to
volume-based billing, e.g picture optimizing.

The best way would be a sub-key management on developer side, but this is unrealistic... It'll be the other way around. With the key feature more devs of small extensions will integrate a key feature with a single key. This is a quick thing, but a sub key management system is a different number.

Is there a way to hash the keys or at least hide them in the backend in order to make access more difficult?

@ka3media This is a fair point I have of course given a lot of thought about. However, the sub-key management at the developer's side is (a big part of) the best realistic solution. I put headings where appropriate in the long reply so you can more easily follow my reasoning.

Hashing at the end user's site is a no-go

Download keys need to be used "in the clear" when making a request to the developer's server, to identify the client and determine (at the developer's side) whether the download should be allowed or not. This precludes using a hashing function since, by its very definition, it is a one-way function. That is to say, the hash cannot be converted back to the key.

Hashing at the developer's site is a no-go

What if the developers site accepted the hash instead of the key, you might ask. Well, in this case we just do a whole lot about nothing at all. A malicious user could copy the hash to their site and receive updates. Even if there is no UI to do that they could do a simple DB query.

Encryption at the end user's site (Joomla) is a no-go

If the encryption key is stored at the end user's site then, by definition, a rogue Super User could use it to decrypt the encrypted download key and have it in the clear, just like Joomla would need to do when trying to download the update. So, no go.

If the encryption key is stored at the developer's side you are back to square one: whatever you enter in Joomla will be valid on any site.

Moreover, Joomla needs to provide a UI for the user to enter, view and change the download key. So even if it's not shown in the Update Sites list it will still be visible when editing an update site.

Finally, Joomla would anyway display the failed download URL, including the key, in case of a download error.

Encryption at the developer's site is a no-go

This leads us back to mitigating the risk of key reuse on the developer's side. Ideally, you'd need to create one download key per domain name supported. However, this has two drawbacks:

• Joomla does not send an HTTP Referer when downloading the update, meaning you don't know which site you are downloading the update for.
• The only way you can legally distribute an extension for Joomla is licensing it under GPLv2 or any later version (including GPLv3) which precludes preventing the use of your software on a site dependent on a download key. Restriction of using your software would invalidate the license. Note, however, that restricting the use of any services your provide through your infrastructure / company is still legal.

You can solve this with sub-keys and tying services into your software

Here is a practical solution I've implemented

• Sub-keys (Add-on Download IDs in the case of my software). I ask my clients to create one Add-on Download ID per site or client of their own and revoke them when they cut ties with that client / site or when they have a suspicion that the keys are being abused. Failure to do so can lead to their subscription being terminated without a refund. People generally comply with this and I've found that key management is trivial compared to any other technical solution.
• Tie popular features to a service on my servers where it makes sense. For example, transferring your backups to a remote storage provider which uses OAuth2 (e.g. Dropbox, Google Drive, OneDrive etc) requires an OAuth2 mediator endpoint with my application keys on my servers. That's a service I provide and it requires a valid download key. If I detect abuse, see above (which means that now your backups don't store remotely). This makes people seek compliance with the sub-key policy.

In the end of the day it's about giving a reason to your clients to self-police their behavior and penalize aberrations to your policy.

Why it's not as important as you think

It is worth noting that only Super Users are able to see the Update Sites page and the download keys. Therefore the whole issue is a matter of trust. If you don't trust your client to keep the download keys safe from improper access you can and should penalize them, e.g. by disabling their subscription without a refund. So with normal keys the problem has a known solution and it's the same as dealing with warez. It's not a widespread problem because most people are decent and understand that if the screw over a developer then the developer will screw over them tenfold or will go out of business, in which case they're totally screwed as the software they depend on is dead. Bad apples are actually rare and they're people who wouldn't be paying you anyway.

In the other use case you mentioned (volume pricing), the problem is not critical for you the developer but for your client. If they use their download key in an unsafe environment their limited resource (e.g. picture optimization credits) are depleted by improper use. If they come back to you the developer you can tell them who used the service, when and where from. It's then the client's problem to seek redress from the unauthorized parties.

Let's not reinvent the wheel

I would like to note that this conundrum is not unique to Joomla or even new. It has existed before I was even born and I'm almost 40 :) As long as you have an alphanumeric key to unlock software which is not tied to a specific installation you do run the risk of someone abusing it. The amount of abuse you will witness is too small to warrant any further thought. As I said, most users really do understand that they only way to have reliable software is to pay an affordable price. Only absolute morons and sociopaths will actively try to screw you over by subverting download keys. The good news is that this kind of scum is rare (but I do understand that it's also memorable, hence this discussion).

Moreover, in the case of FOSS we can't really enforce keys tied to installations without invalidating the license of our software, shooting ourselves in the feet.

Please test PR #26744

@Quy Can you please change your comment to point to the correct PR, gh-26744 please?