http://www.macrumors.com/2016/02/09/sparkle-hijacking-vulnerability/
Well, it appears that not all versions of Sparkle are affected and the attacker has to be on the same WiFi network. So yes, a vulnerability, but really, how vulnerable is it really?
If anyone understands the vulnerability, I’d love to know if it’s something I should examine in Kaju.
The attack is explained at https://vulnsec.com/2016/osx-apps-vulnerabilities/. If you are using http for the Sparkle updates you could be vulnerable to a man in the middle attack from within your own WiFi network.
Doesn’t Kaju do signing?
Using https or verifying signatures should protect against a man in the middle attack.
Yes, public-private key signing of the information packet that includes a hash of the file to be downloaded.
I think it’s a lot harder to pull off than “attacker on the same WiFi network” - the attacker has to be able to intercept packets (man in the middle or MITM) attack, which is more like the attacker has to be “in control OF the WiFi network”. Certainly a vulnerability but I don’t think it’s quite as bad as it’s being portrayed.
Why on earth would any developer use http instead of https to deliver executables.
The latest Sparkle doesn’t allow insecure http any more unless you explicitly override it.
A quick look in any application that uses Sparkles info.plist at the “SUFeedURL” will show whether it uses http or https.