Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

VLC Responds to Criticism Over Lack of HTTPS for Updates

The developers of the popular open source video player VLC, which recently surpassed 3 billion downloads, have responded to criticism over the use of HTTP for software updates.

The developers of the popular open source video player VLC, which recently surpassed 3 billion downloads, have responded to criticism over the use of HTTP for software updates.

Several people have submitted bug reports to VLC over the past period regarding the use of HTTP instead of HTTPS for software updates. A report submitted five days ago has triggered some heated discussions on Twitter and Reddit regarding the associated risks.

When VLC is updated, the client communicates with the server over HTTP, which, in theory, exposes the connection to man-in-the-middle (MitM) attacks and could allow a threat actor to replace the legitimate update with a malicious one without the user’s knowledge.

VLC developers believe that the use of HTTP in their case poses a small risk due to the way the update system has been implemented. They say they do plan on rolling out a new update system, but claim that it’s not an easy task and they have other priorities right now.

They’ve pointed out that the current system is not as insecure as some claim due to the fact that updates are cryptographically signed to ensure that they have not been tampered with.

Some experts have highlighted that the updates are signed using a hardcoded 1024-bit DSA key, which is relatively weak by modern standards. Moreover, they’ve noted that the signing key has not been changed for several years.

While Internet giants and the entire cybersecurity industry have been pushing for the widespread adoption of HTTPS, the developers of the media player and some security experts say the risk is small and attacks would not be easy to carry out.

First, the attacker only has a small window on opportunity to replace the update, they need to be able to intercept traffic, and they must create a malicious update whose signature matches the one of the legitimate update. The resources and knowledge needed to pull off such an attack are often limited to state-sponsored threat actors.

Advertisement. Scroll to continue reading.

Jean-Baptiste Kempf, one of the lead developers of VLC and the president of the VideoLAN non-profit organization, explained that while it’s possible to break DSA encryption such as the one used for the update process, creating a fake signed DSA message corresponding to a public key is much more difficult.

“As for DSA, it is weak indeed, because you can brute-force decrypting, but to create a valid fake message is a different task. And the code supports RSA for the new system, as you can see in the source code file,” Kempf explained. “The system is not perfect, but is far from being broken as some people would like to pin.”

He noted that Linux distributions and some major tech companies also perform updates over HTTP but use signed updates to prevent manipulation.

Many reputable cybersecurity experts agree with VLC’s assessment of the risk. Others agree that the risk is small, but still think that VLC should start using HTTPS.

VLC's decision not to use HTTPS for updates supported by some experts


VLC's decision not to use HTTPS for updates supported by some experts

Other industry professionals, however, don’t like the tone of VLC’s response, with several people describing the messages as “rude.”

Some believe VLC's repose to lack of HTTPS is "rude"

Related: EU to Run Bug Bounty Programs for 14 Free Software Projects

Related: Flaw in Media Library Impacts VLC, Other Software

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...