Also, in the past every threat model we had for package updates included threats and modes of operation that transport-layer security cannot protect against, e.g. version downgrade. Of course, if you rely on package signing, your solution for it has to be correct and safe.
-
-
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Will your app work if you can't do TLS?
-
An update can fix broken TLS if the update isn't using the same broken TLS stack.
-
But update can also wait till you get home etc and on a better network?
-
It won't help if the machine is usually/always on the bad network or if the problem is not the network but your application (e.g. TLS key pinning or CA configuration).
-
Would you say this example is a good exemplar of the defense value of TLS? https://justi.cz/security/2018/09/13/alpine-apk-rce.html …
End of conversation
New conversation -
-
-
When we designed Windows Update we decided to build for HTTP for this and other reasons. Today however I think I would not consider building a online update system without HTTPS.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
Transport should be irrelevant, IMO. It's technically impractical to distribute blobs at scale while requiring end-to-end TLS. We need to trust CDNs and sign through a separate mechanism to protect from a compromise of the distribution infrastructure.
- 2 more replies
New conversation -
-
-
It depends on your threat model and the guarantees you want. Don't forget that TLS doesn't just provide integrity but confidentiality too. Do you want malicious actors to know what you have installed?
-
Furthermore, there are other factors you may have to consider. Do you have keys baked in your hardware? Do you have the ability as a vendor to store the signing keys in HSMs?
End of conversation
New conversation -
-
-
I have so many feels.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.