Hacker News new | ask | show | jobs
by phkn1 4317 days ago
Right you are. Fixed the title. The the app does sync the notes themselves over SSL.

But this is still a risk, as the link to the app that does the syncing could be blocked to maintain a vulnerability, downgraded to a vulnerable version, or potentially compromised...
1 comments
hjlklhj 4317 days ago
> But this is still a risk, as the link to the app that does the syncing could be blocked to maintain a vulnerability

If you can mitm the dns or ip you can still do this even with https.

> downgraded to a vulnerable version

does the app allow "upgrading" to a lower version number automatically?

> or potentially compromised

the app enforces signed updates, no?

That said, they really should get https going for the updates.

link
phkn1 4317 days ago
>If you can mitm the dns or ip you can still do this even with https.

Strictly speaking you'd need a compromised DNS and a compromised CA (possibly with a wildcard certificate). Certificates provide assurance of identity as well as encryption (that's why public key encryption works). No matter where the connection comes from. (EDIT: If I compromise DNS for an SSL secured site I only get half an attack.)

> does the app allow "upgrading" to a lower version number automatically?

I'm not as familiar with the app update mechanisms in respect to enforcing monotonic version numbers. I don't have proof it enforces this, however.

> the app enforces signed updates, no?

The author says it best here:

http://httpshaming.tumblr.com/post/95160721901/but-its-signe...

link
hjlklhj 4317 days ago
>>> But this is still a risk, as the link to the app that does the syncing could be blocked to maintain a vulnerability

>>If you can mitm the dns or ip you can still do this even with https.

>Strictly speaking you'd need a compromised DNS and a compromised CA (possibly with a wildcard certificate). Certificates provide assurance of identity as well as encryption (that's why public key encryption works). No matter where the connection comes from. (EDIT: If I compromise DNS for an SSL secured site I only get half an attack.)

My comment here was for the "the link to the app that does the syncing could be blocked to maintain a vulnerability" argument. That you don't need a CA for. Just throw a NXDOMAIN from the dns.

edit: please note that I very much agree that update checks should be over https. It's just that I think that it's not a panacea and should be accompanied by e.g. code signing, enforcing updating version, etc.

link
phkn1 4317 days ago
Agreed. Defense in depth is key.
link