nanog mailing list archives
Re: Whitelist of update servers
From: Keegan Holley <keegan.holley () sungard com>
Date: Mon, 12 Mar 2012 16:40:24 -0400
2012/3/12 Maverick <myeaddress () gmail com>
Like list of sites that operating systems or applications installed on your machines go to update themselves. One way could be to go on each vendors site and look at their update servers like microsoft.update.com but it would be good if there is a list of such servers for all OS and applications so that it could be used as a whitelist.
I stick with my original answer... sometimes. I'm not sure if this is different now, but I remember MS update being spoofed with bogus DNS entries because the process is died to that dns name. I think this is the most popular method combined with some sort of encryption and/or signing to verify the updates themselves. I'm sure there are applications that use a white list though. There are alot of shops that update via some kind of CDN, so the whitelist method is a bit combersome at scale and is not immune to spoofing or other attacks. The most secure thing is probably to protect the updates themselves.
Current thread:
- Whitelist of update servers Maverick (Mar 12)
- Re: Whitelist of update servers -Hammer- (Mar 12)
- Re: Whitelist of update servers Paul Graydon (Mar 12)
- Re: Whitelist of update servers Keegan Holley (Mar 12)
- Re: Whitelist of update servers Maverick (Mar 12)
- Re: Whitelist of update servers Keegan Holley (Mar 12)
- Re: Whitelist of update servers Peter Kristolaitis (Mar 12)
- Re: Whitelist of update servers William Herrin (Mar 12)
- Re: Whitelist of update servers Peter Kristolaitis (Mar 12)
- Re: Whitelist of update servers Paul Graydon (Mar 12)
- Re: Whitelist of update servers Maverick (Mar 12)
- Re: Whitelist of update servers Randy Bush (Mar 12)
- Re: Whitelist of update servers Jeff Kell (Mar 12)