|
florida lan posted:security fuckup thread 17.1 - YDGKJFTQDFGQWYFTDUKYWQG loving HELL -----BEGIN PGP PUBLIC KEY BLOCK----- loving HELL -----END PGP PUBLIC KEY BLOCK-----
|
#
?
Jan 19, 2019 11:06
|
|
|
|
| # ? May 19, 2024 19:48 |
|
|
just in time for eu vlc bug bounty huh
|
|
#
?
Jan 19, 2019 11:09
|
|
|
didn't know pagancow had twitter
|
|
#
?
Jan 19, 2019 12:19
|
|
|
Carbon dioxide posted:Anyway, the hardcoded key is 1024-bit DSA. So the police are in on it too, then? 
|
|
#
?
Jan 19, 2019 16:16
|
|
|
Powerful Two-Hander posted:-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
#
?
Jan 19, 2019 16:30
|
|
|
florida lan posted:security fuckup thread 17.1 - The attack you suggest, if it is possible, is not trivial to describe judging by the size of the description.
|
|
#
?
Jan 19, 2019 19:10
|
|
|
no threat model no threat model you're the threat model
|
|
#
?
Jan 19, 2019 19:14
|
|
|
stop decrypting yourself
|
|
#
?
Jan 19, 2019 19:26
|
|
|
lol they're sticking with it https://twitter.com/videolan/status/1086662728763260930
|
|
#
?
Jan 19, 2019 19:45
|
|
|
they're correct though. (altho idk if id use gpg)
|
|
#
?
Jan 19, 2019 19:45
|
|
|
yeah this isn't the first time http then verify was used, and it causes an argument every time the general use case is to allow transparent caching for large volumes of data though, not a lovely media player
|
|
#
?
Jan 19, 2019 19:47
|
|
|
oh it sounds like they maybe aren't using a good key and/or aren't using it properly which is a problem.
|
|
#
?
Jan 19, 2019 19:50
|
|
|
just use Authenticode you idiots.
|
|
#
?
Jan 19, 2019 19:52
|
|
|
  lmao they are mad
|
|
#
?
Jan 19, 2019 19:52
|
|
|
Shaggar posted:oh it sounds like they maybe aren't using a good key and/or aren't using it properly which is a problem. aiui the problem is if the key doesn't match it tries to check the vlc website for a new key, and then download it (over http of course)
|
|
#
?
Jan 19, 2019 19:54
|
|
|
it seems that if the upgrade can't be verified with the built-in key, vlc downloads a new key from their server over http lol
|
|
#
?
Jan 19, 2019 19:55
|
|
|
goddamnedtwisto posted:aiui the problem is if the key doesn't match it tries to check the vlc website for a new key, and then download it (over http of course) sub par open sores tools lead to sub par open sores solutions.
|
|
#
?
Jan 19, 2019 19:56
|
|
|
lol they deleted the ticket in the tracker
|
|
#
?
Jan 19, 2019 20:01
|
|
|
Celexi posted:lol they deleted the ticket in the tracker yea they're real mad and french
|
|
#
?
Jan 19, 2019 20:14
|
|
|
https://twitter.com/shivasinghal00/status/1086665612326105089 simmer down everyone, okay?
|
|
#
?
Jan 19, 2019 20:15
|
|
|
not a bug uhhh okay its a bug but we're working on it but its not a big deal im not mad im actually laughing
|
|
#
?
Jan 19, 2019 22:30
|
|
|
I, for one, am thankful to the VLC devs for their exemplary handling of this bug report, and will definitely contact them with other issues.
|
|
#
?
Jan 19, 2019 22:38
|
|
|
why is https so hard for them
|
|
#
?
Jan 19, 2019 22:41
|
|
|
ozymandOS posted:it seems that if the upgrade can't be verified with the built-in key, vlc downloads a new key from their server
|
|
#
?
Jan 19, 2019 23:45
|
|
|
ozymandOS posted:it seems that if the upgrade can't be verified with the built-in key, vlc downloads a new key from their server i think it then checks this key is signed by a hardcoded one. this makes sense (ish) because it allows the signing key to be rotated without locking old exe's out of the auto update mechanism
|
|
#
?
Jan 20, 2019 00:41
|
|
|
i.e. he signs vlc.exe with whatever the current key is whenever he builds it and signs new keys with all the old keys, so old versions of vlc can update to the new key safely if they don't have it arguably a safer scheme than relying on tens of millions of users having a correct clock / sensible root ca store / some other way to bootstrap trust in the tls cert (dane lol) although he should probably just try https first and fall back to this if necessary Rufus Ping fucked around with this message at 00:54 on Jan 20, 2019 |
|
#
?
Jan 20, 2019 00:52
|
|
|
i don't know much about cert stuff but it does seem weird to me that they don't even try to do it in a more secure way first
|
|
#
?
Jan 20, 2019 01:00
|
|
|
Rufus Ping posted:i think it then checks this key is signed by a hardcoded one. this makes sense (ish) because it allows the signing key to be rotated without locking old exe's out of the auto update mechanism yeah it's very possible i don't have the whole story, i am repeating what i heard
|
|
#
?
Jan 20, 2019 02:08
|
|
|
https://twitter.com/gwillem/status/1086275952915533828?s=21
|
|
#
?
Jan 20, 2019 07:24
|
|
|
 what the gently caress
|
|
#
?
Jan 20, 2019 18:59
|
|
|
Same bug as the scp one from last week. Guess it made someone go looking
|
|
#
?
Jan 20, 2019 19:12
|
|
|
https://github.com/mysql/mysql-server/commit/98ed3d8bc8ad724686d26c7bf98dced3bd1777be
|
|
#
?
Jan 20, 2019 20:08
|
|
|
Rufus Ping posted:Same bug as the scp one from last week. Guess it made someone go looking people stress out so much about intelligence agencies having secret encryption backdoors and stuff like that, but uh i don't know if they will ever need anything that fancy
|
|
#
?
Jan 20, 2019 23:21
|
|
|
Lutha Mahtin posted:people stress out so much about intelligence agencies having secret encryption backdoors and stuff like that, but uh i don't know if they will ever need anything that fancy like that encryption xkcd
|
|
#
?
Jan 20, 2019 23:54
|
|
|
cinci zoo sniper posted:like that encryption xkcd the last panel wasn't a goatse nor was the punchline "why didn't you just ask nicely?"
|
|
#
?
Jan 21, 2019 01:41
|
|
|
in soviet russia file uploads to you
|
|
#
?
Jan 21, 2019 02:11
|
|
|
Soviet query language
|
|
#
?
Jan 21, 2019 03:16
|
|
|
Volmarias posted:Soviet query language needs more swears
|
|
#
?
Jan 21, 2019 04:58
|
|
|
|
| # ? May 19, 2024 19:48 |
|
|
have an excellent thread: https://twitter.com/hacks4pancakes/status/1086000837615382529
|
|
#
?
Jan 21, 2019 12:22
|
|
