Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The fun thing to think about is whether or not you can guarantee that the update you receive is actually from Apple and not someone sending you a fake via MITM.

Sure, they show a SHA1 on this page: http://support.apple.com/kb/DL1726 but that could be MITM'd as well.



Updates are signed and the OS will refuse to run them if signature verification fails, so unless your MITM has Apple's signing key that wouldn't work.

(And no, this bug didn't break client-side signed package verification.)


Unless your box has already been pwnd and the update installer has been modified to not install that update in the way it was meant to be.


Yes, if we assume you're already fucked, then we can conclude that there is nothing you can do to verify anything and that you are fucked, because we have assumed our conclusion. SHA1s and MD5s are equally pointless in this case because you've already assumed you're fucked, so it should all be assumed to be lying to you.

If, however, we don't engage in circular reasoning and we assume your box isn't currently in the possession of the Russian mafia or (insert preferred APT here), then how can one be reasonably confident that the update one receives through the updater is legitimately the one Apple is distributing?

Because it is signed and the code-signing verification was not broken by this bug.


If, however, we don't engage in circular reasoning

I agree with the point you're making, but you can also turn this idea around, after which it serves to highlight how insanely inadequate our current tools and infrastructure are from a security standpoint.

Basically, you can only reasonably hope to verify a patch if you're not already owned, so you also have to assume you're not in order to verify. It's as if there was a contagious disease that has a good chance of killing you after a number of years, but the diagnostic tests can only be counted on to work if you don't have the disease in the first place. So then why would anyone ever bother getting tested? Our current situation is that uncomfortable.


> Basically, you can only reasonably hope to verify a patch if you're not already owned, so you also have to assume you're not in order to verify. It's as if there was a contagious disease that has a good chance of killing you after a number of years, but the diagnostic tests can only be counted on to work if you don't have the disease in the first place. So then why would anyone ever bother getting tested? Our current situation is that uncomfortable.

Being owned is less like having a virus and more like having schizophrenia. You can't ever expect to self-verify yourself, because if you're suffering from it, everything you're perceiving is being filtered through a compromised and untrustworthy system.

You have to trust some third-party that you believe to not be similarly compromised to do the verification for you.


You have to trust some third-party that you believe to not be similarly compromised to do the verification for you.

Which effectively means that most people won't bother, unless a "trusted third party" is built into their machine.

But that has huge potential problems of its own.


That gave me a good chuckle. Thanks for that.


You make a valid, and well understood point. Ken Thompson's classic paper: http://cm.bell-labs.com/who/ken/trust.html


Looks like you can get the sha1 via https: https://support.apple.com/kb/DL1726


That wouldn't even need an SSL bug to MITM




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: