Well, regardless of exploitability, this attitude just destroyed any confidence I had in VLC's updater being secure. Seriously, WTF. https://trac.videolan.org/vlc/ticket/21737 …
-
It is not fixed by HTTPS. It ALSO requires changes to the update mechanism to achieve this. Which requires the transition to a new update model, which is not simple.
Of course it's fixed by HTTPS. If you use HTTPS, I can't serve any updates at all without compromising your server. I can only block the process altogether, which is not upgrade-to-vulnerable.
-
-
No, it is not. It solves the update information being accurate, but not the full update issue.
-
It fixes the exact two scenarios I mentioned, and generally speaking fixes all attack scenarios involving a basic network MITM on updates other than plain denial-of-updates (which is not fixable).
End of conversation
New conversation -
-
-
Assuming you're doing https correctly (i.e. pinning, or at least root verification), which is also a big assumption :)
-
and revocation and CA validation, et caetera...
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.