Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Why security suites use an insecure connection?
Message
<blockquote data-quote="MacDefender" data-source="post: 885406" data-attributes="member: 83059"><p>Note that the Windows Update attack is kind of scary because they managed to find a compromised certificate that was usable to make Windows think an update was signed.</p><p></p><p>Sure, in some cases, adding SSL/TLS transport security with certificate pinning makes it harder for an attacker to pull off such an attack, but the root problem there is that Microsoft was not digitally validating the update payload itself correctly, and that they had a compromised certificate authority that should have been revoked. Same kinds of mistakes can happen for poorly managed SSL server instances.</p><p></p><p>Transferring signed updates over plain HTTP is actually pretty helpful in a lot of enterprise settings because it does allow a simple ordinary caching proxy server to conserve bandwidth for a variety of updates. Otherwise, you end up with a world where for each vendor and for each product, to prevent a 100MB Acrobat Flash or Chrome update from multiplying to 1TB of bandwidth across 10000 computers, you have to set up some special vendor-specific caching server or enterprise update server, and that only works until you realize one day in the future that another software package became more popular and is now slamming your network too.</p><p></p><p>(In my IT days, it was an utter nightmare especially with smartphones to realize that some release of iOS or Android resulted in the software update scheme changing, and that meant the day that a major vendor pushed out a software update, the whole network would grind to a halt until we figured out how to cache or throttle that particular update mechanism)</p></blockquote><p></p>
[QUOTE="MacDefender, post: 885406, member: 83059"] Note that the Windows Update attack is kind of scary because they managed to find a compromised certificate that was usable to make Windows think an update was signed. Sure, in some cases, adding SSL/TLS transport security with certificate pinning makes it harder for an attacker to pull off such an attack, but the root problem there is that Microsoft was not digitally validating the update payload itself correctly, and that they had a compromised certificate authority that should have been revoked. Same kinds of mistakes can happen for poorly managed SSL server instances. Transferring signed updates over plain HTTP is actually pretty helpful in a lot of enterprise settings because it does allow a simple ordinary caching proxy server to conserve bandwidth for a variety of updates. Otherwise, you end up with a world where for each vendor and for each product, to prevent a 100MB Acrobat Flash or Chrome update from multiplying to 1TB of bandwidth across 10000 computers, you have to set up some special vendor-specific caching server or enterprise update server, and that only works until you realize one day in the future that another software package became more popular and is now slamming your network too. (In my IT days, it was an utter nightmare especially with smartphones to realize that some release of iOS or Android resulted in the software update scheme changing, and that meant the day that a major vendor pushed out a software update, the whole network would grind to a halt until we figured out how to cache or throttle that particular update mechanism) [/QUOTE]
Insert quotes…
Verification
Post reply
Top