Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 6 subscribers
  • Views 2339 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Protection against MiTM attacks?

jstash

I went to download Sophos Anti-Virus for Mac, Home Edition and noticed that the download site was HTTP-only. Trying to simply substitute an https URL for the download gave me a certificate warning (the certificate identified some akamai CDN servers, not sophos.com).

Thankfully, SophosSupport on twitter was able to give me an MD5 of the download so that I could verify (sorta) that the .dmg i was downloading was indeed from Sophos. They also said they'd talk to the web team at Sophos about the certificate.

Now, arguably, most people won't blink twice when downloading software, but It really concerned me that I couldn't verify the identity of the server I was downloading this *executable* from. Home users won't have a Sophos web appliance to protect them ;)

Does Sophos plan to offer protection against MiTM (and/or hacked download server) attacks for its consumer products? And, out of curiosity, what other protections are provided against MiTM attacks for SAV-HE? Are auto-updates protected? How about IDEs/virus-definition updates?

(P.S. Kudos to Sophos for releasing this tool, looking forward to getting it installed)

:1000249


This thread was automatically locked due to age.
Parents
  • 0

    Hello jstash,

    Does Sophos plan to offer protection against MiTM (and/or hacked download server) attacks for its consumer products?

    Mac HE is a special case as "unusual high" demand could be expected and therefore a distribution network is used. If you look at the other product pages download is via https (note that this does not offer absolute protection against MiTM attacks but let's not get too technical). The MD5 is provided on the FAQs tab - agreed it could be put more prominently near the download link.

    The update mechanism (software and IDEs) uses the same methods to verify the integrity of the downloads as the licensed products. Of course you'll never get absolute protection but I guess it'd need a "military grade" attack to break and abuse it. Besides - what would be the gain of (directly) attacking an AV product?

    Oh, and didn't you ask when you were at Sophos? :smileywink:

    Christian

    :1000276
Reply
  • 0

    Hello jstash,

    Does Sophos plan to offer protection against MiTM (and/or hacked download server) attacks for its consumer products?

    Mac HE is a special case as "unusual high" demand could be expected and therefore a distribution network is used. If you look at the other product pages download is via https (note that this does not offer absolute protection against MiTM attacks but let's not get too technical). The MD5 is provided on the FAQs tab - agreed it could be put more prominently near the download link.

    The update mechanism (software and IDEs) uses the same methods to verify the integrity of the downloads as the licensed products. Of course you'll never get absolute protection but I guess it'd need a "military grade" attack to break and abuse it. Besides - what would be the gain of (directly) attacking an AV product?

    Oh, and didn't you ask when you were at Sophos? :smileywink:

    Christian

    :1000276
Children
No Data