Loading Profile...
unannounced updates - risk of man-in-the-middle attack
hi there,
most of the times there are quite a number of new builds of wuala for certain platforms, sometimes several new builds daily and there are a lot of days where there isnt any changelog nor releasenotes to be found.
many times only days after the actual updates/patches or only several patches/releases later there is an updated releaselog.
this is a high risk of getting some "updates" for wuala from man-in-the-middle and similar risks.
i wish that the wuala team would really announce their changes immediately, write some official buildnumber/list and maybe even some hashcode, signature or way to make sure that the wuala installation is the official code.
as wuala becomes more widespread and common out there, the probability of suffering attacks and tampered updates/patches becomes more likely.
thanks for listening.
most of the times there are quite a number of new builds of wuala for certain platforms, sometimes several new builds daily and there are a lot of days where there isnt any changelog nor releasenotes to be found.
many times only days after the actual updates/patches or only several patches/releases later there is an updated releaselog.
this is a high risk of getting some "updates" for wuala from man-in-the-middle and similar risks.
i wish that the wuala team would really announce their changes immediately, write some official buildnumber/list and maybe even some hashcode, signature or way to make sure that the wuala installation is the official code.
as wuala becomes more widespread and common out there, the probability of suffering attacks and tampered updates/patches becomes more likely.
thanks for listening.
I’m concerned
3 people have this problem
I have this problem, too!
Tell me when someone solves it.
The more people who report this problem, the more it gets noticed.
The more people who report this problem, the more it gets noticed.
-
Inappropriate?I have yet to sniff around a bit in Wuala's traffic but I hope that updates are already digitally signed + hashed, similar to packet-managers many Linux distributions and Unixes use.
A more indepth description of a typical update process (report build number or hash of some important files to server, get response from server etc.) however would be really helpful! -
Inappropriate?I believe, but may be mistaken that they use private public key encryption on the update. -
Inappropriate?I believe, but may be mistaken that they use private public key encryption on the update.
