TLS for download URLs

Hi!

I was wondering if it would be possible to set up HTTPS for the download URLs for the various packages. Given the current state of the internet, and especially given that many of the applications you’re distributing involve providing my administrator credentials, it would go a long way towards ensuring the security of user systems against MITM attacks.

  • Les

Good point. But I thought signing updates is enough to prevent MITM attacks.

We use Sparkle updater with DSA signatures:

You can see them in our sparkle feeds:
http://updates-s3.binaryage.com/totalfinder-beta.xml

And additionally our packages/binaries are code-signed using Apple’s tools.

Unless we did some implementation mistake MITM attacks shouldn’t be possible.

The problem is that without HTTPS for the original downloads, the user can be MITM’d when they download the original app. An attacker doesn’t ever have to worry about the DSA signatures, because their malicious app could ignore bad signatures or just update from an entirely different source.

  • Les

What about teaching users to check developer signature when installing the pkg first time?

Users can click the lock icon in the upper-right corner to get information about the signature:

https://dl.dropboxusercontent.com/u/559047/developer-signed-package.png

The problem with SSL infrastructure is:

  1. it costs money and time to maintain
  2. we use heroku.com, cdn77.com and amazon S3 for hosting, all of them would need to be protected by SSL (and still we would have the risk that any of them was compromised internally by replacing our files with something else)