Demand TLS for software updates. Leaking information on which package is updating enables automated exploitation and often downgrade attacks. Updaters can be vulnerable, but difficult to exploit if TLS validation occurs on the connection. Example: https://justi.cz/security/2018/09/13/alpine-apk-rce.html …
Not a replacement for a proper independent mechanism. TLS is necessary, but getting users to install arbitrary root CAs is sadly way too easy.
-
-
fair point, but TLS certainly helps with most update schemes (coffee shop wifi and background updates)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.