Hacker News new | ask | show | jobs
by croes 672 days ago
This what

>According to iVerify, once activated, the application downloads a configuration file via an insecure connection, which can result in system-level code being executed. The configuration file is retrieved from a domain hosted by AWS over unsecured HTTP, which leaves the configuration and the device vulnerable to malicious code, spyware and data wiping.
2 comments
diffeomorphism 672 days ago
https://xkcd.com/463/

The "unsecured HTTP" is about as relevant as lactose is for a butterfly.

link
croes 672 days ago
The app isn't used by Verizon anymore.

How long will they keep the domain they used for that?

link
throwuxiytayq 672 days ago
Huh? Are you really saying that downloading configuration files over HTTP is fine? (I’m really struggling to find a charitable interpretation)
link
diffeomorphism 672 days ago
Of course it is. If you want security, you should secure the files (i.e., signatures, public key, whatever), not the carrier pigeon used to send them.
link
chgs 672 days ago
I think their argument is it shouldn’t download any configuration via any connection.
link
homero 671 days ago
No it's that HTTP means nothing
link
homero 671 days ago
Of course it's fine. You sign the files
link
homero 671 days ago
HTTP means nothing
link