Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
@Oktokolo Doesn't work, as MSI and their customers have found out the hard way: https://cybernews.com/news/...
-
@Fast-Nop Well, securing the customer side obviously is only one part of the problem. No update process is safe when the very source of the update gets compromised.
-
@Oktokolo The problem is, how to do the key update? That would need a secure channel, and that can be e.g. HTTPS. But if you have to trust that channel for a key update, you can as well trust it for the actual software update.
Btw., Linux distros with signed packages over plain HTTP are in a different situation - HTTPS isn't useful for securing the data because there are a lot of mirrors, and each mirror could tamper with the data, so that requires package signing. That's different from firmware that should only be downloaded from the vendor. -
@Fast-Nop that works fine as long as the keys can be revoked. Of course at a certain point you have to trust something. If a firmware author doctors it you are screwed anyway.
You have a procedure with usb stick to introduce new keys. It's a manual action.
Jesus fuck Gigabyte motherboards downloading and installing firmware updates over HTTP no fucking S
https://tomshardware.com/news/...
rant