Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

VLC Responds to Criticism Over Lack of HTTPS for Updates

The developers of the popular open source video player VLC, which recently surpassed 3 billion downloads, have responded to criticism over the use of HTTP for software updates.

The developers of the popular open source video player VLC, which recently surpassed 3 billion downloads, have responded to criticism over the use of HTTP for software updates.

Several people have submitted bug reports to VLC over the past period regarding the use of HTTP instead of HTTPS for software updates. A report submitted five days ago has triggered some heated discussions on Twitter and Reddit regarding the associated risks.

When VLC is updated, the client communicates with the server over HTTP, which, in theory, exposes the connection to man-in-the-middle (MitM) attacks and could allow a threat actor to replace the legitimate update with a malicious one without the user’s knowledge.

VLC developers believe that the use of HTTP in their case poses a small risk due to the way the update system has been implemented. They say they do plan on rolling out a new update system, but claim that it’s not an easy task and they have other priorities right now.

They’ve pointed out that the current system is not as insecure as some claim due to the fact that updates are cryptographically signed to ensure that they have not been tampered with.

Some experts have highlighted that the updates are signed using a hardcoded 1024-bit DSA key, which is relatively weak by modern standards. Moreover, they’ve noted that the signing key has not been changed for several years.

While Internet giants and the entire cybersecurity industry have been pushing for the widespread adoption of HTTPS, the developers of the media player and some security experts say the risk is small and attacks would not be easy to carry out.

First, the attacker only has a small window on opportunity to replace the update, they need to be able to intercept traffic, and they must create a malicious update whose signature matches the one of the legitimate update. The resources and knowledge needed to pull off such an attack are often limited to state-sponsored threat actors.

Jean-Baptiste Kempf, one of the lead developers of VLC and the president of the VideoLAN non-profit organization, explained that while it’s possible to break DSA encryption such as the one used for the update process, creating a fake signed DSA message corresponding to a public key is much more difficult.

“As for DSA, it is weak indeed, because you can brute-force decrypting, but to create a valid fake message is a different task. And the code supports RSA for the new system, as you can see in the source code file,” Kempf explained. “The system is not perfect, but is far from being broken as some people would like to pin.”

He noted that Linux distributions and some major tech companies also perform updates over HTTP but use signed updates to prevent manipulation.

Many reputable cybersecurity experts agree with VLC’s assessment of the risk. Others agree that the risk is small, but still think that VLC should start using HTTPS.

VLC's decision not to use HTTPS for updates supported by some experts

VLC's decision not to use HTTPS for updates supported by some experts

Other industry professionals, however, don’t like the tone of VLC’s response, with several people describing the messages as “rude.”

Some believe VLC's repose to lack of HTTPS is "rude"

Related: EU to Run Bug Bounty Programs for 14 Free Software Projects

Related: Flaw in Media Library Impacts VLC, Other Software

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...