Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- From: Ken Thomases <email@hidden>
- Date: Wed, 10 Feb 2016 00:15:18 -0600
On Feb 9, 2016, at 11:45 PM, sqwarqDev <email@hidden> wrote:
>
>
>> On 10 Feb 2016, at 09:08, Charles Srstka <email@hidden> wrote:
>>
>> If your app is accessing your appcast via HTTP, that could be intercepted just the same as your relnotes, and then the attacker could set the relnotes URL to whatever s/he wants.
>
>
> Can I just double-check my understanding here:
>
> 1. If the SUFeedURL uses https, the app is not vulnerable.
Not quite, because of 2.2 below.
Also, in theory somebody could: a) compromise your server to serve a malicious appcast or b) get a Certificate Authority to issue them a certificate in error (e.g. via social hack), thus undermining HTTPS security. These are less likely and fairly catastrophic, so may be deemed to eclipse the vulnerability in Sparkle.
> 2. If 1 is true, neither of these matter:
> 2.1 the version of Sparkle
> 2.2 whether the release notes are http or https
If the release notes are via a separate URL and that URL is HTTP rather than HTTPS, then the attacker can spoof it as easily as they could spoof an HTTP appcast. If they do that, then your app is just as vulnerable.
You are mostly safe if the appcast URL is HTTPS _and_ the release notes are embedded in the appcast or accessed via HTTPS URL.
Regards,
Ken
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden