On Feb 9, 2016, at 11:45 PM, sqwarqDev <sqwarq...@icloud.com> wrote: > > >> On 10 Feb 2016, at 09:08, Charles Srstka <cocoa...@charlessoft.com> wrote: >> >> If your app is accessing your appcast via HTTP, that could be intercepted >> just the same as your relnotes, and then the attacker could set the relnotes >> URL to whatever s/he wants. > > > Can I just double-check my understanding here: > > 1. If the SUFeedURL uses https, the app is not vulnerable.
Not quite, because of 2.2 below. Also, in theory somebody could: a) compromise your server to serve a malicious appcast or b) get a Certificate Authority to issue them a certificate in error (e.g. via social hack), thus undermining HTTPS security. These are less likely and fairly catastrophic, so may be deemed to eclipse the vulnerability in Sparkle. > 2. If 1 is true, neither of these matter: > 2.1 the version of Sparkle > 2.2 whether the release notes are http or https If the release notes are via a separate URL and that URL is HTTP rather than HTTPS, then the attacker can spoof it as easily as they could spoof an HTTP appcast. If they do that, then your app is just as vulnerable. You are mostly safe if the appcast URL is HTTPS _and_ the release notes are embedded in the appcast or accessed via HTTPS URL. Regards, Ken _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
