. Is zip encryption secure?
Following my answer. If I can list contents of a password-protected ZIP file, check the file types of each stored file and even replace it with another one, without actually knowing the password, then should ZIP files be still treated as secure?
This is completely insecure in terms of social engineering / influence etc.
I can hijack (intercept) someone else's file (password-protected ZIP file) and I can replace one of the files it contains, with my one (fake, virus) without knowing the password. Replaced files will remain unencrypted, not password-protected inside the ZIP, but other files won't be modified.
If a victim unpacks a password-protected archive, the extracting program will ask for the password only once, not every time per each file. So the end user will not see the difference -- whether the program does not ask for a password, because it already knows it (original file) or because the file being extracted doesn't need a password (file modified by me). This way, I can inject something really bad into a password-protected ZIP file, without knowing its password and count on the receiver assuming the file is unmodified.
Am I missing something or is this really wrong? What can we say about the security terms of a solution, if password is not required to introduce any modification in a password-protected file?
The password is meant to ensure confidentiality, not integrity or authenticity.
This is one of those cases where security is limited by usability and human intent. The archive manager has no way of telling whether or not the file you modified was meant to be encrypted in the first place. Essentially this is a social engineering attack, in that you tricked the user into believing that the original file was in place. However, the real security vulnerability would be that you had read/write access to a sensitive archive in the first place.
As far as mitigation goes, there are a few ways to increase security:
Use an archive format that supports filename zip encryption (e.g. 7Zip, RAR)
Sign the archive with a private key, e.g. via GPG.