Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This what

>According to iVerify, once activated, the application downloads a configuration file via an insecure connection, which can result in system-level code being executed. The configuration file is retrieved from a domain hosted by AWS over unsecured HTTP, which leaves the configuration and the device vulnerable to malicious code, spyware and data wiping.



https://xkcd.com/463/

The "unsecured HTTP" is about as relevant as lactose is for a butterfly.


The app isn't used by Verizon anymore.

How long will they keep the domain they used for that?


Huh? Are you really saying that downloading configuration files over HTTP is fine? (I’m really struggling to find a charitable interpretation)


Of course it is. If you want security, you should secure the files (i.e., signatures, public key, whatever), not the carrier pigeon used to send them.


I think their argument is it shouldn’t download any configuration via any connection.


No it's that HTTP means nothing


Of course it's fine. You sign the files


HTTP means nothing




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: