forums.wsusoffline.net

[friday123]

I am currently seeking help in another thread for a problem with an ISO file, possibly related to mkisofs.exe, and while I was researching I noticed that WOU connects to its website to get the latest version of mkisofs.exe. Do any of these supporting programs needed by WOU have a digital signature or if not how is the client verifying them as legitimate in order to prevent against a Man-In-The-Middle (MITM) attack? Thanks

[WSUSUpdateAdmin]

Hi.

There's no protection against "man in the middle" attacks concerning mkisofs.exe and the Sysinternals' tools (AutoLogon, SigCheck and Streams), but you may check the downloaded files once to be sure (e.g. https://www.virustotal.com/) since WOU will download them only if not present (Sysinternals) or if the remote file is newer (mkisofs.exe), which I would announce here before.

Regards
T. Wittrock

[friday123]

If it's checking with a server for a later version then a MITM can just say they have a later version. If there is no signature check then the attack would be successful. Have you considered including all files which do not have their signature checked?

[WSUSUpdateAdmin]

Hi.

If it's checking with a server for a later version then a MITM can just say they have a later version.[...]

A MITM could also fake a new version of WOU then.
Would be much more simple and effective...
RTW

[friday123]

Suggestion: Please offer a way in the application to prevent any download that cannot be verified with a signature. Like if you had the option "VERIFIED_FILES_ONLY" I would turn it on. That way I can avoid MITM attacks. Thank you

[boco]

You cannot prevent downloads without signatures because the signatures can be checked only once downloaded. Unsigned files or files with invalid signatures will be deleted by WSUSOU, that's already implemented.

[friday123]

It seems to me though that downloads like mkisofs.exe that are unsigned there's really no authentication for them. Also if a new version of WOU is faked is there any authentication to tell? I'd rather just turn that stuff off if I can.

[boco]

I guess it's best letting the author answer that himself. Though from what I know the tools are self-compiled, and signatures are expensive.

[WSUSUpdateAdmin]

Hi.

First of all: I can't afford a digital signature. This is free / donation ware.

Second: MITM attacks are a question of probability, of course. How often have you been targeted by a MITM in the past?

Last but not least: It's a matter of trust. Maybe I'm the bad guy and deliver a Trojan within my digitally signed archive. What could you do against that? According to the GPL terms, I'm not personally liable if my software harms one of your computers.

I'd rather just turn that stuff off if I can.

It's a decision you must take, and if you don't trust me, you probably don't want to use this software.

Regards
T. Wittrock

[friday123]

Thanks for your message but I think you misunderstand. This is nothing against you, or your team. I use the internet over insecure connections often. What I am saying is I want to avoid someone impersonating you or your team.