Demand TLS for software updates. Leaking information on which package is updating enables automated exploitation and often downgrade attacks. Updaters can be vulnerable, but difficult to exploit if TLS validation occurs on the connection. Example: https://justi.cz/security/2018/09/13/alpine-apk-rce.html …
-
-
It can, if the attacker is unable to MITM the TLS connection, an older package can't be substituted. It doesn't apply if a package is being manually applied.
-
Domains can also switch hands. Intentionally or not. TLS doesn’t prevent the new owner from serving malicious payloads. Still over TLS. At the end, we all agree that we need signatures + downgrade protection + TLS.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.