VLC website does not use HTTPS by default, enforcing it.
VLC website for download redirection does not use HTTPS by default, enforcing it.
VLC download mirrors does not use HTTPS by default, enforcing it.
VLC is the most used video player opensource but it's website is by default in clear-text, exposing to any kind of of digital attacks that manipulate traffic between end-users and VLC website in order to inject computer malware bundled with the software package.
That's a serious security issue for end-users and reputation for VideoLan Project that should take action by securing all it's website and download procedures in order to guarantee end-users that the software that delivered from the VLC website is exactly what's being installed on the end-user computer.
This ticket is to:
Enable HTTPS by default on all Videolan hosted resources (such as videolan.org, get.videolan.org, etc) so that it achieve a rating of A+ on https://www.ssllabs.com testing
Make all of the Videolan mirror to serve the VLC client over HTTPS (that may need another ticket to be tracked, requiring other organization to update)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Child items
...
Linked items
0
Link issues together to show that they're related.
Learn more.
Exactly, CIA used their own fork of VLC and managed to do MITM to attack VLC users BECAUSE VLC WEBSITE AND MIRRORS ARE NOT USING HTTPS .
So VLC is responsible to let attacks inject malware bundled with the software package, because it's only VLC project maintainer responsibility to use HTTPS as the only method to prevent a third party attacker to hijack VLC website content and files.
async-signed VLC package with strong cryptography are a good thing, but can protect only the "self update method" while leaving 100% completely vulnerable the "installation method" .
To summarise:
VLC is vulnerable to MITM attack against the installation of the software because is missing HTTPS
VLC is NOT vulnerable to MITM attack against the update of the software because it's using digital signing of released package
Different security mechanism, provide protection against different attacks, unfortunately digital signing of package does not provide any kind of protection against MITM of the installation process of a user visiting videolan.org website and following the instructions.
VLC is vulnerable to MITM attack against the installation of the software
Yes.
because is missing HTTPS
No.
It is vulnerable because:
the CIA (and some other intelligence services) can obtain TLS certificates for videolan.org issued by domestic certificate authorities,
the relevant intelligence services can get physical access to the VideoLAN servers and steal the certificates there,
there are probably ways to abuse the trust of VideoLAN admins or committers (e.g. myself),
most importantly, users do not know to download VLC from "videolan.org".
TLS does not fix any of those problems.
To fix this, what you need is the operating system (vendor) to block unsigned software installation. That's outside the scope of the VLC project (and probably a case of cure worse than the disease).
Either come with a valid proof of concept or stop wasting our time, bandwidth and disk space please.
The PoC is coming, it has been developed using few lines of ruby as a Bettercap plugin that can be exploited by anyhow in between the end-user and the videolan.org website, mirrorbits server and mirrors.
VLC is vulnerable to MITM attack against the installation of the software
Yes.
because is missing HTTPS
No.
Nope, it's simply because of missing HTTPS.
Let me explain below:
It is vulnerable because:
the CIA (and some other intelligence services) can obtain TLS certificates for videolan.org issued by domestic certificate authorities,
Wrong.
Actually the uses of HSTS Preload List prevent completely this problem https://hstspreload.org/ .
Anyhow, even without HSTS Preload List, the actual mandatory uses of Certificate Transparency (https://www.certificate-transparency.org/) make any kind of this attack to become detected in few hours worldwide.
the relevant intelligence services can get physical access to the VideoLAN servers and steal the certificates there,
OT.
From a security threat modelling perspective we are not speaking about an attacker with physical access but about anyone using free-software to make MITM attacks being able to sit in the middle of the traffic between end-users and videolan infrastructure.
there are probably ways to abuse the trust of VideoLAN admins or committers (e.g. myself),
OT.
That's not the kind of attack that an untrained, unskilled attacker can do using opensource tools (or tools available for cheap price to law enforcement).
most importantly, users do not know to download VLC from "videolan.org".
Users trust the click that they do by following the website user interface from videolan.org so the implicit trust is in following your website.
The fact that videolan.org website and any link or html contained in it can be easily modified by an unskilled attacker using simple and cost-effective opensource tools, means that the vulnerability is very relevant.
TLS does not fix any of those problems.
As you read above TLS fix all direct attacks problems, except those that require aggressive actions "against you" (physical access or hacking sysadmins).
To fix this, what you need is the operating system (vendor) to block unsigned software installation. That's outside the scope of the VLC project (and probably a case of cure worse than the disease).
That's not really a good excuse to avoid implementing HTTPS and fixing most of your security problem related with MITM of first download.
Because only some very high level and sophisticated attacker may use a nuclear weapon against my house, it doesn't mean that i'm not going put a lock that protect my house against most of the attacks.
Really, with 2.3 billion download, that's a problem to be fixed ASAP because represent a threats to internet security of a huge amount of users.
While it is true that HSTS mitigates the first problem, this bug report made no mention of HSTS... And it's rather easy hand-wave to ignore the other problems, especially the last one.
The reality is that, until the main search engine(s) route all searches for VLC to "videolan.org", we are hosed. And it does not seem like they would want to skip on the scam advertisement revenue with simply not doing that.
It also does not seem like the VLC users want to pay for the cost of switching the website and all the mirrors to TLS.
While it is true that HSTS mitigates the first problem, this bug report made no mention of HSTS... And it's rather easy hand-wave to ignore the other problems, especially the last one.
The bug made mention to rating A+ on ssllabs.com that include using HSTS.
The reality is that, until the main search engine(s) route all searches for VLC to "videolan.org", we are hosed. And it does not seem like they would want to skip on the scam advertisement revenue with simply not doing that.
You can get $10.000/month of Google Search Adwords with https://www.google.com/intl/fr/grants/ .
I've done it for GlobaLeaks Project, you first need to make a TechSoup Account with the French techsou partner to identify yourself in front of Google as a non-profit and in few days you'll have $329/day of Google Adwords advertising with a cap of $2 of CPC.
It also does not seem like the VLC users want to pay for the cost of switching the website and all the mirrors to TLS.
There are several options to starts securing the VLC website:
Uses HTTPS content delivery networks such as cloudflare.com (Mozilla with www.mozilla.org is doing this)
For what's related to the mirrors I opened a ticket at #18484 (closed) to analyse which mirror already support HTTPS and which percentage of the total download they account for.
For what's related to the software side, opened a ticket on mirrorbits GitHub repository to support HTTPS as a property of a mirror https://github.com/etix/mirrorbits/issues/59
While it is true that HSTS mitigates the first problem, this bug report made no mention of HSTS... And it's rather easy hand-wave to ignore the other problems, especially the last one.
The bug made mention to rating A+ on ssllabs.com that include using HSTS.
The reality is that, until the main search engine(s) route all searches for VLC to "videolan.org", we are hosed. And it does not seem like they would want to skip on the scam advertisement revenue with simply not doing that.
You can get $10.000/month of Google Search Adwords with https://www.google.com/intl/fr/grants/ .
I've done it for GlobaLeaks Project, you first need to make a TechSoup Account with the French techsou partner to identify yourself in front of Google as a non-profit and in few days you'll have $329/day of Google Adwords advertising with a cap of $2 of CPC.
It also does not seem like the VLC users want to pay for the cost of switching the website and all the mirrors to TLS.
There are several options to starts securing the VLC website:
Uses HTTPS content delivery networks such as cloudflare.com (Mozilla with www.mozilla.org is doing this)
For what's related to the mirrors I opened a ticket at #18484 (closed) to analyse which mirror already support HTTPS and which percentage of the total download they account for.
For what's related to the software side, opened a ticket on mirrorbits GitHub repository to support HTTPS as a property of a mirror https://github.com/etix/mirrorbits/issues/59
If you want to be secure, use the https version of videolan.org, and check the sha1 and the signature.
As for the suggestion of using cloudflare, in order to MITM our HTTPS connections, this is a nice joke.
If you are able to send us around 20k€/month to have our own mirrors, please be very free to send that.
Now, as you are obviously trolling, please stop right now, or I'll be forced to block your account.
FYI references to documents related to the Commercial Infection Appliance used by dictatorship to infect executable downloads.
Please have a read at the technical specification of the "infection applications" in order get an idea of their capabilities, that can be fully defeated having the entire website and download process with HTTPS+HSTS
FYI references to documents related to the Commercial Infection Appliance used by dictatorship to infect executable downloads.
Please have a read at the technical specification of the "infection applications" in order get an idea of their capabilities, that can be fully defeated having the entire website and download process with HTTPS+HSTS
If the problem to mitigate this (real) security issue is the cost of running your own mirrors then I can help you with this.
Please contact me privately for further discussion.
How can we contact you?
you should be able to see my email address, if not, please let me know and I'll provide it to you.
I don't think I can, but I will check.
I haven't heard back from you on this regard, do you have an update?
So far, no, because we need to work on our infrastructure, because @naif and their (italian) friends are attacking us from all over. And not only on social networks, but also physically on our servers.
If the problem to mitigate this (real) security issue is the cost of running your own mirrors then I can help you with this.
Please contact me privately for further discussion.
How can we contact you?
you should be able to see my email address, if not, please let me know and I'll provide it to you.
I don't think I can, but I will check.
I haven't heard back from you on this regard, do you have an update?
So far, no, because we need to work on our infrastructure, because @naif and their (italian) friends are attacking us from all over. And not only on social networks, but also physically on our servers.
I would suggest you to leave nationality related comments out of this discussion.
I am sorry to read that you are experiencing attacks on your servers at current. In case you need a secure and reliable mirror please let me know as I could run one and give it 1Gb/s connectivity to it, free of charge and with enforced HTTPS.
So far, no, because we need to work on our infrastructure, because @naif and their (italian) friends are attacking us from all over. And not only on social networks, but also physically on our servers.
I would suggest you to leave nationality related comments out of this discussion.
Seeing that they makes this a italian-vs-france hacker fight, it's not really easy, tbh.
But fair enough...
I am sorry to read that you are experiencing attacks on your servers at current. In case you need a secure and reliable mirror please let me know as I could run one and give it 1Gb/s connectivity to it, free of charge and with enforced HTTPS.
So far, no, because we need to work on our infrastructure, because @naif and their (italian) friends are attacking us from all over. And not only on social networks, but also physically on our servers.
I would suggest you to leave nationality related comments out of this discussion.
Seeing that they makes this a italian-vs-france hacker fight, it's not really easy, tbh.
But fair enough...
I see your point but keep in mind that there could be Italians willing to help you guys, indistinctly if you are French or of any other nationality.
I am sorry to read that you are experiencing attacks on your servers at current. In case you need a secure and reliable mirror please let me know as I could run one and give it 1Gb/s connectivity to it, free of charge and with enforced HTTPS.
OK, thanks for the proposal.
No worries, I am happy to help.