Search Mailing List Archives
[liberationtech] Chromebooks for Risky Situations?
michael at briarproject.org
Wed Feb 6 08:11:07 PST 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 06/02/13 15:52, Rich Kulawiec wrote:
> Many operating systems and applications and even application
> extensions (e.g., Firefox extensions) now attempt to discover the
> presence of updates for themselves either automatically or because
> a user instructs them to do. Is there any published research on the
> security consequences of doing so? (What I'm thinking of is an
> adversary who observes network traffic and thus can ascertain
> operating system type/version/patch level, installed application
> base/version/patch level, etc.)
I'd be interested to hear about rollback attacks on such mechanisms.
For example, Debian's security updates are signed, but they're fetched
over an unauthenticated channel. Can an attacker fool a Debian system
into believing that no updates are available?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the liberationtech