| ▲ | 0xDEAFBEAD 20 hours ago |
| So basically you're targeting a tiny fraction of power users who are capable and motivated to find and exploit a vulnerability on their own machine which bypasses update signing. I think you'll find more bang for your malicious buck elsewhere. |
|
| ▲ | saghm 20 hours ago | parent [-] |
| So wouldn't this logic also apply to updates that are signed with an invalid signature? And at that point, it sounds like you're saying that once something is signed and distributed, no one will ever try to compromise that and you're free and clear for the rest of time, which seems...dubious. |
| |
| ▲ | 0xDEAFBEAD 19 hours ago | parent [-] | | My mental model is that requiring updates to be signed delivers a lot of security bang for your buck. Do you disagree? An attacker can still steal the private key, or identify a flaw in the signature checking code. It looks like there are a variety of other, more constrained attacks: https://theupdateframework.io/docs/security/#attacks-and-wea... But overall, it seems to me that you can make an attacker's life considerably more difficult, for a comparatively small effort. | | |
| ▲ | saghm 15 hours ago | parent [-] | | I don't disagree with everything you said, but I don't see how "therefore, you don't need to worry about a critical update without a signature" follows. The reason that it provides a lot of value is specifically because it helps you notice things like what's going on now so you can avoid installing unsigned updates. |
|
|
