Comment

Comment on A sneaky demonstration of the dangers of curl bash

What you said is the key infra needs to get compromise. I do not need to own the PKI that issued the certs, I just need the private key of the signer. And again, this is something that happens. A lot. A software publisher gets owned, then their account is used to distribute malware.

source

Sort:hotnew top

ShortN0te@lemmy.ml ⁨19⁩ ⁨hours⁩ ago

To achieve a compromised update you either need to compromise the update infrastructure AND the key or the infratstructure AND exploit the local updater to accept the invalid or forged signature.

As i said, to compromise a signature checked update over the internet you need to compromise both, the distributing infrastructure AND the key. With just either one its not possible. (Ignoring flaws in the code ofc)

source
- xylogx@lemmy.world ⁨18⁩ ⁨hours⁩ ago
  Take a look at Shai Hulud. All the attacker had was the key.
  
  source
  - ShortN0te@lemmy.ml ⁨15⁩ ⁨hours⁩ ago
    Yes, the secrets to submit to the distribution system got compromised and therefore the system got compromised.
    
    source