[SECURITY] Little Snitch update overs over HTTP

General discussions about Little Snitch
Post Reply
https
Posts: 1
Joined: Sun Aug 17, 2014 4:59 pm

[SECURITY] Little Snitch update overs over HTTP

Post by https » Sun Aug 17, 2014 5:05 pm

Little Snitch's updating mechanism downloads a new DMG over HTTP (ie, in clear-text).

This leaves users vulnerable to man in the middle binary replacement attacks.

This issue is described here: https://firstlook.org/theintercept/2014 ... ideo-hack/

And more technically here: https://citizenlab.org/2014/08/cat-vide ... lear-text/

Code: Select all

http://sw-update.obdev.at/update-feeds/littlesnitch3.plist

<key>DownloadURL</key>
<string>http://sw-update.obdev.at/ftp/pub/Products/LittleSnitch/LittleSnitch-3.3.4.dmg</string>


Please modify the update mechanism to happen over TLS (preferably with forward secrecy enabled).

Thank you!

loyalobdevfan
Posts: 3
Joined: Mon Aug 18, 2014 4:53 am

Re: [SECURITY] Little Snitch update overs over HTTP

Post by loyalobdevfan » Mon Aug 18, 2014 4:59 am

+1 +1 +1 +1 +1 +1 +1 +1 +1 +1

I love Obdev to death but please fix this ASAP.

Thank you.

manfred
Objective Development
Objective Development
Posts: 561
Joined: Sat Jul 31, 2010 9:47 am
Location: Vienna
Contact:

Re: [SECURITY] Little Snitch update overs over HTTP

Post by manfred » Thu Aug 21, 2014 3:36 pm

https wrote:This leaves users vulnerable to man in the middle binary replacement attacks.

No it doesn't. We use a public key cryptographic signature which is distributed with the software update feed. Little Snitch Software Update has the public key to verify this signature before installation.

If you check the Update Feed, you can see the signature below the download link:

Code: Select all

<key>DownloadURL</key>
<string>http://sw-update.obdev.at/ftp/pub/Products/LittleSnitch/LittleSnitch-3.3.4.dmg</string>
<key>DownloadSignature</key>
<string>MCwCFDsrmKrgiSoOV8k/UrLnOVCodv+AAhRa7rX5QCIZVD6ArckzTosMr4f2XQ==</string>


We avoid HTTPS in the update feed because we want to make it easy for the user to verify which information we send to our server during the update check. Since we don't need encryption, we have implemented our own signature check.

Nevertheless we consider to move to HTTPS for software updates and downloads because we have to explain this decision over and over again. That makes the update less transparent, but security more obvious to the user.

mbaughn
Posts: 2
Joined: Sat Aug 23, 2014 1:27 am

Re: [SECURITY] Little Snitch update overs over HTTP

Post by mbaughn » Sat Aug 23, 2014 1:34 am

I understand your logic regarding the update process and internal security checks, but is it possible for you to post a sha256 digest or GPG sig alongside the original .dmg file so users have some confidence that the initial install is clean?

mbaughn
Posts: 2
Joined: Sat Aug 23, 2014 1:27 am

Re: [SECURITY] Little Snitch update overs over HTTP

Post by mbaughn » Mon Aug 25, 2014 11:08 pm

The sha 256 sum I get for LittleSnitch-3.3.4.dmg is 19dfcd33594fc14be321c3f54651059029b73f715158e0498ba01ceb69bf6c4a

Anybody else?

Post Reply