Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- Subject: Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server
- From: email@hidden
- Date: Wed, 10 Feb 2016 07:59:43 +0100
- Importance: Normal
About feedback to users and helping them avoid problems:
So in order to avoid problems in the immediate short run, we should inform
users to turn off automatic software updates and update checks with a
current version and also tell them how they can find out which apps use
Sparkle??
Once an updated version is available, inform them to update, but only
through a secure network?
Anything more we need to think off with regard to users?
> On Feb 9, 2016, at 11:45 PM, sqwarqDev <email@hidden> wrote:
>>
>>
>>> On 10 Feb 2016, at 09:08, Charles Srstka <email@hidden>
>>> wrote:
>>>
>>> If your app is accessing your appcast via HTTP, that could be
>>> intercepted just the same as your relnotes, and then the attacker could
>>> set the relnotes URL to whatever s/he wants.
>>
>>
>> Can I just double-check my understanding here:
>>
>> 1. If the SUFeedURL uses https, the app is not vulnerable.
>
> Not quite, because of 2.2 below.
>
> Also, in theory somebody could: a) compromise your server to serve a
> malicious appcast or b) get a Certificate Authority to issue them a
> certificate in error (e.g. via social hack), thus undermining HTTPS
> security. These are less likely and fairly catastrophic, so may be deemed
> to eclipse the vulnerability in Sparkle.
>
>
>> 2. If 1 is true, neither of these matter:
>> 2.1 the version of Sparkle
>> 2.2 whether the release notes are http or https
>
> If the release notes are via a separate URL and that URL is HTTP rather
> than HTTPS, then the attacker can spoof it as easily as they could spoof
> an HTTP appcast. If they do that, then your app is just as vulnerable.
>
> You are mostly safe if the appcast URL is HTTPS _and_ the release notes
> are embedded in the appcast or accessed via HTTPS URL.
>
> Regards,
> Ken
>
>
> _______________________________________________
>
> Cocoa-dev mailing list (email@hidden)
>
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden