Update connections to HTTPS
All the connections to the update server are still done in HTTP.
It should be updated to HTTPS.
Proof:
This is a security risk and should be solved ASAP. Thanks
Activity
added Difficulty::easy Platform::macOS Severity::major Type::bug Version::master git + 1 deleted label
changed milestone to %Bugs paradize
added Status::invalid label
removed Status::invalid label
added Status::invalid label
It's trivial to describe any number of threat models for downloading updates over HTTP. The simplest is that of a user who opens VLC while on public wi-fi, where an attacker could intercept the connection and serve a malicious update payload without the user's knowledge. VLC verifies the downloaded update package using a home-rolled GPG signature check implementation (and against a 1024-bit DSA key, which isn't considered up to modern cryptographic security standards), but if the update blob indicates a key other than the hardcoded one, it downloads the requested public key from the VLC update server over HTTP and does nothing further to verify the key itself. This means that all an attacker would have to do to serve a malicious update would be to sign it with their own key, then serve the matching public key when VLC requests it. Unless I'm missing some major additional protection, this is a serious issue.
removed Status::invalid label
Replying to [comment:5 Rodger Combs]:
It's trivial to describe any number of threat models for downloading updates over HTTP.
No it is not. The attack you suggest, if it is possible, is not trivial to describe judging by the size of the description.
And it does also not look like what the OP had in mind.
The ability to attack software that updates over http has been well known for a long time - https://insights.sei.cmu.edu/cert/2017/06/the-consequences-of-insecure-software-updates.html
This will be what OP is referring to because it's the quintessential attack for http connections.
