VideoLAN team have recently attracted some heat because of their refusal to evaluate the need of adding TLS to their update distribution channels.
We all love your media player, but that’s really rude #VLC 🙄
VLC developers refused to consider #software "update-over-HTTP" as a threat.
Responded→ “no threat model. no proof. no #security bug"
It wouldn't hurt if you simply consider the suggestion.https://t.co/GWhE1US5Ko pic.twitter.com/L77KDcNUMy— The Hacker News (@TheHackersNews) January 19, 2019
At first, they seem to have a point here. VLC software update distribution (similar to other software package management tools such as Debian/Ubuntu APT) is based on a network of uncontrolled mirrors. These mirrors alleviate last-mile downloads while thriving without the need of approval or official support from the software maintainer.
To mitigate the obvious risk of rogue or malicious package distribution posing as official packages, maintainer signs binaries and introduces some sort of signature check before applying downloaded updates. This effectively reduces the security of the scheme to a mere has this package been modified since the original maintainer created it?
In certain distribution models, this reduction seems to make sense from a slightly limited threat modelling point of view and some people have bothered to explain it carefully. Limited because it rules out the possibility of potential crypto fails or bugs.
It is true that, when talking about software distribution, it is generally more crucial to sign binaries that it is to transmit updates over secure channels. This is one of the reasons Apple got away with updates over HTTP up until iOS 10 (they did control the mirrors though). Typically, one can find distribution channels over TLS through unofficial mirrors that do not provide signature checking. At most, they provide text signatures and shift the responsibility of checking package signatures to the end user by bundling hashes with each download.
Let’s not forget that for a very long time, it was not possible to download Putty in any secure fashion whatsoever.
I can relate to the fact that too much heat was pointed towards APT and VLC teams for not using TLS, while the community chose to ignore lots of other packages distributed over TLS but without signatures. However good defense in depth principles suggest that we should not ditch TLS just because of package signatures seem to get us covered under a particular threat model.
Aside from the fact that TLS in 2019 is ridicously cheap in all senses and excuses for not deploying it have been entirely debunked, as Matthew Green puts it, opting out is probably a bad decision in the long run. Software signing and verification schemes are greatly unvetted compared to TLS protocols, and bugs do appear eventually.
A lot of people think TLS is unnecessary for software updates, provided the update mechanism already includes signing/verification. Unless you’re Microsoft, this seems like a big mistake.— Matthew Green (@matthew_d_green) January 21, 2019
Incidentally, the very day this discussion was peaking in Twitter, CVE-2019-3462 came out.
Good timing I guess.