Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Updates and encryption


  • Please log in to reply
4 replies to this topic

#1 philfil

philfil

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:08 AM

Posted 19 January 2016 - 02:19 PM

I read somewhere that updates are often encrypted. I took this to mean that the update was encrypted before it arrived at your computer and then decrypted once on board. Does anyone know if this is generally true of updates such as Windows updates or antivirus software updates?

 

I read about this a while ago and the article wasn't very specific, so I can't be certain that it implied what I have stated above.


Edited by philfil, 19 January 2016 - 02:20 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,056 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:08 AM

Posted 20 January 2016 - 06:59 AM

You may have misread or misunderstood the article. Obviously a link would be helpful so we could read what the writer actually said.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 philfil

philfil
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:08 AM

Posted 20 January 2016 - 08:12 AM

I have since had a look on the internet (although I can't recall where I first read about this).

 

I have found these:

 

 "Any Windows computer that fetches updates from a WSUS server using a non-https URL is vulnerable, the researchers warned."

 

From:http://www.computing.co.uk/ctg/news/2421029/windows-update-vulnerability-puts-corporate-networks-at-risk-from-malicious-insiders-warn-researchers

 

This suggests that Windows update servers can deliver updates which have been encrypted in a manner similar to that used in https, but they don't necessarily do this.

 

Also:

"Use the Secure Sockets Layer (SSL) for WSUS connections (server-to-server or server-to-client computer) on all computers that download updates through the Internet. For more information about configuring SSL,"

 

From: https://technet.microsoft.com/en-us/library/dd939849%28v=ws.10%29.aspx

 

Again, it suggests that using encrypted update communication is optional. Also, on one of these pages I read that the encryption applies only to metadata and not to the updates themselves.

 

I have a minor interest in this because vulnerable applications are usually considered to be those which interact with the internet or with files downloaded such as browsers, email clients, Java and Adobe Acrobat. I wondered if downloading updates could also be a potential risk.


Edited by philfil, 20 January 2016 - 08:14 AM.


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:08 AM

Posted 21 January 2016 - 05:19 PM

Updates are not often encrypted. But Windows updates are digitally signed.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 philfil

philfil
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:08 AM

Posted 21 January 2016 - 06:41 PM

Updates are not often encrypted. But Windows updates are digitally signed.

 

Thank you for your views on this.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users