Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'How Apple could fix it (and open it)' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
How Apple could fix it (and open it)
Authored by: Anonymous on Jul 09, '02 04:35:30AM

Hi!
This exploit (same as the one possible on ssh, but there you will be warned) is called "man-in-the-middle-attack".
But it would be simple for apple to provide a public_key/signature with future "original installations", so all future data from Apple could be verified (they can also use gpg-signing or so, the point is, every mac needs to have a way to "proof" the software you download is indeed from Apple and no-one has hampered with it.
The benefit of this is, a corporate administrator can add (and add the public-key) for local update-servers.

However, for Apple, there is a bootstrap problem, to bring the public-key to every mac, you need to receive the correct one once - but it is not feasible for anyone to prevent the transfer of the correct public key on the long run. (Checkout the GPG or OpenSSH-Hompage on how to validate transfer public keys)

I hope this is helpful to clarify the situation,
iSee



[ Reply to This | # ]
How Apple could fix it (and open it)
Authored by: escowles on Jul 09, '02 08:51:10AM
There is a golden opportunity for Apple to distribute a public key for validating future Software Update releases: Jaguar. Assuming it's like 10.1 where they are going to distribute CDs, they could include it in the Jaguar CD and install it by default.

For that matter, since openssl is already installed by default, they could also switch Software Update to use SSL-encrypted communication, which would allow them to use the public key to validate the update server, in addition to the packages once they're downloaded.

They could also have a public key and a new version of Software Update for download at their website (https, of course, so it can be verified to be Apple).

-Esme

[ Reply to This | # ]