Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 6 subscribers
  • Views 2337 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Protection against MiTM attacks?

jstash

I went to download Sophos Anti-Virus for Mac, Home Edition and noticed that the download site was HTTP-only. Trying to simply substitute an https URL for the download gave me a certificate warning (the certificate identified some akamai CDN servers, not sophos.com).

Thankfully, SophosSupport on twitter was able to give me an MD5 of the download so that I could verify (sorta) that the .dmg i was downloading was indeed from Sophos. They also said they'd talk to the web team at Sophos about the certificate.

Now, arguably, most people won't blink twice when downloading software, but It really concerned me that I couldn't verify the identity of the server I was downloading this *executable* from. Home users won't have a Sophos web appliance to protect them ;)

Does Sophos plan to offer protection against MiTM (and/or hacked download server) attacks for its consumer products? And, out of curiosity, what other protections are provided against MiTM attacks for SAV-HE? Are auto-updates protected? How about IDEs/virus-definition updates?

(P.S. Kudos to Sophos for releasing this tool, looking forward to getting it installed)

:1000249


This thread was automatically locked due to age.
Parents
  • 0

    Mac HE is a special case as "unusual high" demand could be expected and therefore a distribution network is used. If you look at the other product pages download is via https (note that this does not offer absolute protection against MiTM attacks but let's not get too technical).

    Sure, i can understand why a CDN would be used. However, it doesn't seem like a good excuse to allow unverified downloads.

    The MD5 is provided on the FAQs tab - agreed it could be put more prominently near the download link.

    An MD5 published on an HTTP site (which could also be hijacked) is only sufficient for checking if a download is intact. To verify that it was actually created by Sophos, either a signature file (e.g. validating a PGP/GPG signature file) or being able to download the MD5 over HTTPS (w/ cert validation) would be needed.

    The update mechanism (software and IDEs) uses the same methods to verify the integrity of the downloads as the licensed products.

    Excellent, that's one thing I wanted to know.

    Of course you'll never get absolute protection but I guess it'd need a "military grade" attack to break and abuse it. Besides - what would be the gain of (directly) attacking an AV product?

    Replacing the .dmg (which isn't signed) with a dubious one would allow arbitrary code execution.

    Oh, and didn't you ask when you were at Sophos?

    Definitely did, but it's been 2.5 years and Sophos didn't have any home editions back then (well, nothing serious). I'm mostly curious in knowing if HE does it the same way as the other products (for the benefit of this forum's readers), but you answered that above.

    :1000287
Reply
  • 0

    Mac HE is a special case as "unusual high" demand could be expected and therefore a distribution network is used. If you look at the other product pages download is via https (note that this does not offer absolute protection against MiTM attacks but let's not get too technical).

    Sure, i can understand why a CDN would be used. However, it doesn't seem like a good excuse to allow unverified downloads.

    The MD5 is provided on the FAQs tab - agreed it could be put more prominently near the download link.

    An MD5 published on an HTTP site (which could also be hijacked) is only sufficient for checking if a download is intact. To verify that it was actually created by Sophos, either a signature file (e.g. validating a PGP/GPG signature file) or being able to download the MD5 over HTTPS (w/ cert validation) would be needed.

    The update mechanism (software and IDEs) uses the same methods to verify the integrity of the downloads as the licensed products.

    Excellent, that's one thing I wanted to know.

    Of course you'll never get absolute protection but I guess it'd need a "military grade" attack to break and abuse it. Besides - what would be the gain of (directly) attacking an AV product?

    Replacing the .dmg (which isn't signed) with a dubious one would allow arbitrary code execution.

    Oh, and didn't you ask when you were at Sophos?

    Definitely did, but it's been 2.5 years and Sophos didn't have any home editions back then (well, nothing serious). I'm mostly curious in knowing if HE does it the same way as the other products (for the benefit of this forum's readers), but you answered that above.

    :1000287
Children
No Data