You’d have to impersonate Google’s web servers to push the update, wouldn’t you?... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		542458 on Dec 1, 2022 \| parent \| context \| favorite \| on: Platform certificates used to sign malware You’d have to impersonate Google’s web servers to push the update, wouldn’t you? That would mean both hijacking the DNS and faking or stealing the TLS cert. That’s not impossible, but it’s pretty much a moderately-well-equipped-nation level attack.

V__ on Dec 1, 2022 | [–]

If a 'heist' to steal such a key would be pulled off, adding credentials (or stealing them) to the update-server (even for a one-time update push) doesn't seem out of the realm of possibilities.

kiliancs on Dec 1, 2022 | [–]

If you own the OS, you should be able to install updates from anywhere.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact