Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switched to HTTPS due to Sparkle Security vulnerability #225

Merged
merged 1 commit into from
Jan 30, 2016
Merged

Switched to HTTPS due to Sparkle Security vulnerability #225

merged 1 commit into from
Jan 30, 2016

Conversation

xu-cheng
Copy link
Contributor

@codykrieger
Copy link
Owner

As far as I'm aware, gfxCardStatus shouldn't be vulnerable, because all http requests to gfx.io are redirected to https before any content is served. But this is still a good change. Thanks!

codykrieger added a commit that referenced this pull request Jan 30, 2016
@codykrieger
Merge pull request #225 from xu-cheng/sparkle-vulnerability
ffabc90 
Switched to HTTPS due to Sparkle Security vulnerability
@codykrieger codykrieger merged commit ffabc90 into codykrieger:master Jan 30, 2016
@xu-cheng xu-cheng deleted the sparkle-vulnerability branch January 30, 2016 09:33
@xu-cheng
Copy link
Contributor Author

all http requests to gfx.io are redirected to https

FYI, this is where MITM attack can be performed. i.e. Instead of redirect to https, an attacker can redirect it to anything.

Thanks for merging.

@codykrieger
Copy link
Owner

Ah, good point. I was only considering the appcast being modified, not being redirected somewhere else entirely.

@xu-cheng
Copy link
Contributor Author

Also kinda wonder any chance for a new release?

@codykrieger codykrieger mentioned this pull request Jan 31, 2016
Closed
@zachriggle
Copy link

A new release would be wonderful <3

@aidantwoods
Copy link

Any chance at a new release, looks like the update still occurs over http making every user with auto update enabled vulnerable to remote code execution by a network attacker :(

I was going to submit a PR myself, but this is kinda nuts that it was fixed a year ago and not yet released...

screen shot 2017-11-17 at 21 48 21

screen shot 2017-11-17 at 21 48 37

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@xu-cheng @codykrieger @zachriggle @aidantwoods