Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- From: Quincey Morris <email@hidden>
- Date: Tue, 09 Feb 2016 18:03:07 -0800
- Feedback-id: 167118m:167118agrif8a:167118sceKqrqF84:SMTPCORP
On Feb 9, 2016, at 17:53 , Graham Cox <email@hidden> wrote:
>
> The appcast supplies the URL for the release notes, so that can be updated to https without having to republish the app itself. That makes this a lot less trouble than it seems.
Yes, but the appcast itself is vulnerable to separate attack, if your access to it is http. (Its URL is specified in the bundle plist.)
>> Already updated to use https, but of course the problem is that in itself requires a Sparkle update…
Yes, but it’s no worse a problem than the one you started with.
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden