• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

  • Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • From: sqwarqDev <email@hidden>
  • Date: Wed, 10 Feb 2016 12:45:52 +0700
> On 10 Feb 2016, at 09:08, Charles Srstka <email@hidden> wrote:
>
> If your app is accessing your appcast via HTTP, that could be intercepted just the same as your relnotes, and then the attacker could set the relnotes URL to whatever s/he wants.


Can I just double-check my understanding here:

1. If the SUFeedURL uses https, the app is not vulnerable.

2. If 1 is true, neither of these matter:
	2.1 the version of Sparkle
	2.2 whether the release notes are http or https


TIA


Phil


_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
      • From: Ken Thomases <email@hidden>
    • Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
      • From: Roland King <email@hidden>
References: 
 >PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Jens Alfke <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Graham Cox <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Jens Alfke <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Graham Cox <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Graham Cox <email@hidden>)
 >Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server (From: Charles Srstka <email@hidden>)

  • Prev by Date: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Next by Date: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Previous by thread: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Next by thread: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
  • Index(es):
    • Date
    • Thread