Debian: "We don't need to use HTTPS, we sign our packages! Check out whydoesaptnotusehttps[.]com!"
https://lists.debian.org/debian-security-announce/2019/msg00010.html …
https://justi.cz/security/2019/01/22/apt-rce.html …
Oops.
*This* is why you use HTTPS. Defense in depth. Take note @videolan.
-
Should Apple take note as well? iOS has been doing updates over HTTP for a loooooong time.
Well, I mean, Apple wrote their own HTTPS implementation anyway, and then 'goto fail' happened, so maybe Apple users are screwed either way ;-)
-
-
‘Oops’. Also looks like apt just doesn’t do the smartest thing when fetching assets. iOS also fetches assets at runtime over HTTP, but it then proceeds to check the signature on it, so...
-
The problem here is a fuckup in the way they use their HTTP client. They are trying to handle HTTP redirects at a higher level and have effectively a protocol injection vuln in the Location: URI that lets you bypass signing.
- Show replies
New conversation -
-
-
May as well add anybody who's ever written anything in java, too:https://twitter.com/bascule/status/1087796800642113536 …
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.