Our current approach of using encrypted zip files does not require this trust.
Encrypted zip files do
require trust; it's a different trust that you've chosen to ignore. Unfortunately there's no magic solutions. You will have to maintain security on your servers no matter what method you choose.
If your servers are insecure, fix that first. Then switch to a hosting company that you can trust.
Even if a hacker gains full control of the server, they cannot decrypt the archives without the password.
Yes, but that makes the assumption that they can never obtain a copy of your program that uses the password. Once they get the program the password is visible in-memory. So every customer that has your app installed has access to the password. Thus the security of the password protected archives is illusory when applied to updating.
One customer buying your app with a stolen credit card (or using a computer with the app installed) has the "keys to the castle" so to speak.
Once a single user has access to the password, all security is out the window.
The password is always used locally and never transmitted across the internet.
How do they get the password?
Telephone call? What if the line is tapped?
Snail mail? What if a neighbor opens the mail?
Email? Very very insecure.
Embedded in the app? Every customer downloading your app can read the password.
In other words using password protected archives is fine if the person developing the app is the only
person to ever attempt to open to open the archive. In every other case password protected archives are perhaps the weakest security you could implement.Why you should use licensing to limit updates
Now I'm going to cover why you should use licensing and address any other points you've raised.Step 1: Use HTTPS and buy a secure server
First of all, if you're limiting updates then you need to use HTTPS (a.k.a. encrypted HTTP) and your servers must be secure. If you don't know how to secure your website then you need to hire someone. If your servers are on shared servers then buy proper colocated servers.Advantages over password protected archives:
The data will be secure when transmitted to/from your servers. Your server's security is in your hands. With password protected archives the password is spread across your entire user base (i.e. absolutely no security).Step 2: Use licenses to request updates
When you pass licenses to your (now secure) server you can verify that the license is valid before transmitting the update file. If it's not valid you can just show an error.
See SaaS and time-limited licensing
for a fully built example.Advantages over password protected archives:
Every customer will have their own license. And if you're using hardware-locked licensing like LimeLM
you can block the customer on both the client-side and the server-side.
If a customer shares their product key across an organization (or with friends) then you can revoke their product key remotely and it will immediately be useless.