About feedback to users and helping them avoid problems: So in order to avoid problems in the immediate short run, we should inform users to turn off automatic software updates and update checks with a current version and also tell them how they can find out which apps use Sparkle??
Once an updated version is available, inform them to update, but only through a secure network? Anything more we need to think off with regard to users? > On Feb 9, 2016, at 11:45 PM, sqwarqDev <sqwarq...@icloud.com> wrote: >> >> >>> On 10 Feb 2016, at 09:08, Charles Srstka <cocoa...@charlessoft.com> >>> wrote: >>> >>> If your app is accessing your appcast via HTTP, that could be >>> intercepted just the same as your relnotes, and then the attacker could >>> set the relnotes URL to whatever s/he wants. >> >> >> Can I just double-check my understanding here: >> >> 1. If the SUFeedURL uses https, the app is not vulnerable. > > Not quite, because of 2.2 below. > > Also, in theory somebody could: a) compromise your server to serve a > malicious appcast or b) get a Certificate Authority to issue them a > certificate in error (e.g. via social hack), thus undermining HTTPS > security. These are less likely and fairly catastrophic, so may be deemed > to eclipse the vulnerability in Sparkle. > > >> 2. If 1 is true, neither of these matter: >> 2.1 the version of Sparkle >> 2.2 whether the release notes are http or https > > If the release notes are via a separate URL and that URL is HTTP rather > than HTTPS, then the attacker can spoof it as easily as they could spoof > an HTTP appcast. If they do that, then your app is just as vulnerable. > > You are mostly safe if the appcast URL is HTTPS _and_ the release notes > are embedded in the appcast or accessed via HTTPS URL. > > Regards, > Ken > > > _______________________________________________ > > Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) > > Please do not post admin requests or moderator comments to the list. > Contact the moderators at cocoa-dev-admins(at)lists.apple.com > > Help/Unsubscribe/Update your Subscription: > https://lists.apple.com/mailman/options/cocoa-dev/diederik%40tenhorses.com > > This email sent to diede...@tenhorses.com _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
