Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Shouldn't the certs related to OS / app updates be self-signed (the root of trust being Microsoft/Apple/pkgmanager*), rather than anyone in your CA? Like, a new Java update should be signed by Oracle, not signed by Joe Schmo's Honest CA.

Also, forgive me if I'm wrong, but the original Evilgrade exploit for Apple was completely unencrypted, right?

Edit: You use "these guys" to refer to the attacker quite a bit in your statement above, it'd be smart to think about your threat model a bit. For instance, it's likely that some actors can get a root WEB CA, and somewhat unlikely that they've gotten into Apple's chain of trust. These are different targets with different threat models.



> Shouldn't the certs related to OS / app updates be self-signed (the root of trust being Microsoft/Apple/pkgmanager*), rather than anyone in your CA?

Yes, this is how Debian works (they use a well known gpg key to sign their list of packages).

I believe the popular Mac OS X library Sparkle also works like this—the master public key is shipped with the App so that it only accepts updates that are signed by that particular key (if you use Apple's code signing then it only accepts new updates if they are signed by a key assigned to the developer).


That's the way Microsoft do it, yes. They have certificate pinning in the OS for updates (it isn't technically self-signed, but same principle).

FinFisher was exploiting insecure updates but they aren't the only game in town. There was, and still is, software around which only validates if the certificate is valid (via the OS) and little more, then will happily install the update as root.

As far as I know OS X is no longer vulnerable. I was just using that as an example to show that "anything" could be targeted that has automatic updates.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: