[liberationtech] Chromebooks for Risky Situations?
Michael Rogers
michael at briarproject.org
Wed Feb 6 08:11:07 PST 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/02/13 15:52, Rich Kulawiec wrote:
> Many operating systems and applications and even application
> extensions (e.g., Firefox extensions) now attempt to discover the
> presence of updates for themselves either automatically or because
> a user instructs them to do. Is there any published research on the
> security consequences of doing so? (What I'm thinking of is an
> adversary who observes network traffic and thus can ascertain
> operating system type/version/patch level, installed application
> base/version/patch level, etc.)
I'd be interested to hear about rollback attacks on such mechanisms.
For example, Debian's security updates are signed, but they're fetched
over an unauthenticated channel. Can an attacker fool a Debian system
into believing that no updates are available?
Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJREoCaAAoJEBEET9GfxSfMWtQH/jfcN0wynzMtAfVJ91S4y84f
qiHbKYaNswQFjvLRzxTGw9J9GYwhaZF/I1BbfYvd6f5q7Vj+b44SkndQT8SDjsHt
4Bj96rD+K5u5lGWXJjVvJHR1k5EGg+MREKe/6Kj4SKT8gRPLY8Scs7A3ZkxoGkNj
S58e664+5Zb0lyezbnXqtf/smZ8jZ4IERam5JLpn0I0dTVeeT6r9W2h6gQoNZzHG
mp8X08r0xsV3vY3o2qrSPiA4EllKnxzam/HOOWIcLDKQzkRARI/wgZ67dkw0b3lE
kireffjEHGuwl64xrOUDrP0+LoyvQAnswlPphpyxrUCrP3ufMQ5wG1qEa9vm4Zo=
=S4z6
-----END PGP SIGNATURE-----
More information about the liberationtech
mailing list