Hacker News new | ask | show | jobs
Evernote app upgrades are unencrypted over HTTP (httpshaming.tumblr.com)
3 points by phkn1 4320 days ago
2 comments
schrodingersCat 4320 days ago
Thank you for bringing this to my attention. As an avid Evernote user, I will shoot them a feature request email. MITM attacks are a real problem (how do you think Gamma's Fin–Fisher was deployed?), and there is no excuse for this not to be implemented on such a popular app.
link
FroshKiller 4320 days ago
I'm actually a little relieved after clicking through. The post is only talking about app updates, not syncing updates to your notebooks.
link
phkn1 4320 days ago
Right you are. Fixed the title. The the app does sync the notes themselves over SSL.

But this is still a risk, as the link to the app that does the syncing could be blocked to maintain a vulnerability, downgraded to a vulnerable version, or potentially compromised...

link
hjlklhj 4320 days ago
> But this is still a risk, as the link to the app that does the syncing could be blocked to maintain a vulnerability

If you can mitm the dns or ip you can still do this even with https.

> downgraded to a vulnerable version

does the app allow "upgrading" to a lower version number automatically?

> or potentially compromised

the app enforces signed updates, no?

That said, they really should get https going for the updates.

link
phkn1 4320 days ago
>If you can mitm the dns or ip you can still do this even with https.

Strictly speaking you'd need a compromised DNS and a compromised CA (possibly with a wildcard certificate). Certificates provide assurance of identity as well as encryption (that's why public key encryption works). No matter where the connection comes from. (EDIT: If I compromise DNS for an SSL secured site I only get half an attack.)

> does the app allow "upgrading" to a lower version number automatically?

I'm not as familiar with the app update mechanisms in respect to enforcing monotonic version numbers. I don't have proof it enforces this, however.

> the app enforces signed updates, no?

The author says it best here:

http://httpshaming.tumblr.com/post/95160721901/but-its-signe...

link
hjlklhj 4320 days ago
>>> But this is still a risk, as the link to the app that does the syncing could be blocked to maintain a vulnerability

>>If you can mitm the dns or ip you can still do this even with https.

>Strictly speaking you'd need a compromised DNS and a compromised CA (possibly with a wildcard certificate). Certificates provide assurance of identity as well as encryption (that's why public key encryption works). No matter where the connection comes from. (EDIT: If I compromise DNS for an SSL secured site I only get half an attack.)

My comment here was for the "the link to the app that does the syncing could be blocked to maintain a vulnerability" argument. That you don't need a CA for. Just throw a NXDOMAIN from the dns.

edit: please note that I very much agree that update checks should be over https. It's just that I think that it's not a panacea and should be accompanied by e.g. code signing, enforcing updating version, etc.

link
phkn1 4320 days ago
Agreed. Defense in depth is key.
link