DNS poisoning attack worked even when targets used DNS from Google and Cloudflare.

  • kolorafa@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    1
    ·
    3 months ago

    One more reason to have centralized and secure way to do app updates like in Linux (yes, you could still get f for example with not signed app images and such, but less likely)

    Not allowing every single app maker make their own update center is the way to go.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      3 months ago

      Less central repo, and more signed packages. I don’t care where my packages come from, I just care that they’re signed and verified on the client. I can use any mirror I want, including the one I self-host, and I’ll get the same result. Then the problem changes to making sure your mirror is in sync, and that shouldn’t be that hard.

    • vrek@programming.dev
      link
      fedilink
      English
      arrow-up
      4
      arrow-down
      1
      ·
      3 months ago

      At that point it’s a single point of failure, hack that central repo and infect everything. Plus Linux is not centralized… That’s kinda the point, suse, Debian, arch, red hat all have their own repos…

      • kolorafa@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        3 months ago

        Yes, but you as a user are in control of when/how you update, you can first update some test server and only then propagate it to other.

        But still better have single (hopefully secure) risk point/target that you need to pay attention than have multiple god know when/how updating that you dont even dont know about.

  • WolfLink@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    2
    ·
    3 months ago

    Scary. I think a VPN would help against this kind of attack (although it also shows what could happen if your VPN gets compromised).

    Encrypted DNS is the real solution though.