[liberationtech] Auditing of Auto-Update of software commonly used by Human Rights Defenders
Fabio Pietrosanti (naif)
lists at infosecurity.ch
Mon May 19 13:02:27 PDT 2014
Il 5/18/14, 6:24 PM, Rich Kulawiec ha scritto:
> On Thu, May 15, 2014 at 07:36:07AM +0200, Fabio Pietrosanti (naif) wrote:
>> i think that would be very important to organize a project to Audit the
>> functionalities of Auto-Update of software commonly used by human rights
>> defenders.
> Yes, but I'll go one step further: auto-update is a horrible idea -- even
> if the connection is encrypted.
But the problem is still there:
- there's plenty of small software with auto-update functionalities to
be audited/exploited
- there's probably many that provide their download instructions /
installation files over http
Auditing most of them would make the people more resilient against
easier/stupid attacks, increasing the attack difficulty for the adversary.
But you should not just ask people to switch to a "more secure
software", but also understand what software do they use, working
towards to secure what they "are using today" .
--
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org
More information about the liberationtech
mailing list