Sparkle updater vulnerability...
UNOwen last edited by
Quoting from various sources, '…third-party update service Sparkle, combined with insecure network protocols and parsing, leaves some OS X apps open to person-in-the-middle exploits….'
There's a list on github (github.com/sparkle-project/Sparkle/issues/717) of vulnerable OSX applications, and f.lux is on it.
What's f.lux respond to this situation, and how does it plan to respond?
herf last edited by
Since 2009, we have delivered updates via SSL, and so we are not vulnerable.
Elhem Enohpi last edited by
@UNOwen The list you linked to is not of vulnerable applications, it specifically says:
this [list] has nothing to do with security. Applications are listed here just because they use Sparkle and we think they're cool.
There's a script you can run to check all your applications for vulnerability. Here's what it says about f.lux:
ok: Flux 36.6 uses HTTPS for updates - safe