Demand TLS for software updates. Leaking information on which package is updating enables automated exploitation and often downgrade attacks. Updaters can be vulnerable, but difficult to exploit if TLS validation occurs on the connection. Example: https://justi.cz/security/2018/09/13/alpine-apk-rce.html …
-
Show this thread
-
-
Replying to @jedisct1
It can, if the attacker is unable to MITM the TLS connection, an older package can't be substituted. It doesn't apply if a package is being manually applied.
2 replies 1 retweet 6 likes -
Replying to @hdmoore
Domains can also switch hands. Intentionally or not. TLS doesn’t prevent the new owner from serving malicious payloads. Still over TLS. At the end, we all agree that we need signatures + downgrade protection + TLS.
1 reply 4 retweets 19 likes
Domains being hijacked or simply reassigned after having expired is often overlooked. TLS doesn’t do anything here, it even adds trust to something potentially malicious.
2:16 PM - 21 Jan 2019
0 replies
0 retweets
8 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.