I don't think it's really a big deal. Since the list is signed, an active attacker would only be able to replay an old version of the list... but it's hard to see how that would be worse than just blocking the request entirely.
An older version of the list might be missing a recently compromised certificate, though. Of course, you need to both MITM someone and compromise an important cert, so that's not the sort of thing just anybody could pull off.
Right, but assuming Windows isn't dumb enough to accept a remotely downloaded version that's older than the one it already has locally, the effect would be the same as if the attacker just prevented you from receiving new updates. And HTTPS wouldn't make it any harder for them to do that.
> the effect would be the same as if the attacker just prevented you from receiving new updates.
True, but it might be slightly less visible because you'd get an "update" instead of a failure. Also, I wonder if anyone has actually tested that scenario?
I'd like to believe that's true and that should be true, but I'd also have to actually test it before trusting it to be true.
Additionally, old versions will expire, so there's a limit to how far back you can keep someone, even if you continuously intercept the update attempts.
