Debian: "We don't need to use HTTPS, we sign our packages! Check out whydoesaptnotusehttps[.]com!"
https://lists.debian.org/debian-security-announce/2019/msg00010.html …
https://justi.cz/security/2019/01/22/apt-rce.html …
Oops.
*This* is why you use HTTPS. Defense in depth. Take note @videolan.
-
‘Oops’. Also looks like apt just doesn’t do the smartest thing when fetching assets. iOS also fetches assets at runtime over HTTP, but it then proceeds to check the signature on it, so...
The problem here is a fuckup in the way they use their HTTP client. They are trying to handle HTTP redirects at a higher level and have effectively a protocol injection vuln in the Location: URI that lets you bypass signing.
-
-
So they still check signatures, but they have a vuln at a level *higher* than that, in the way they use HTTP itself. This is the kind of attack surface HTTPS gets rid of, of course.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.