Quantcast

Security of MiKTeX package manager

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Security of MiKTeX package manager

Philipp
Hi all,

as someone who's a bit paranoid concerning my computers' security, I
was wondering how secure it is to install or update packages with
MiKTeX package manager.

>From what I have seen, packages are downloaded over http, not https.
Are digital signatures or something alike applied?
If not, the package download process seems vulnerable to
man-in-the-middle attacks. While this probably isn't much of an issue
for packages that contain fonts, styles or similar stuff, there are
also some packages that include DLLs or even executable programs
(e.g., BibTeX), which an attacker could replace with manipulated
versions.

I must admit that it is unlikely that someone would actually exploit
this (if it is possible), but I would feel better if it wasn't
possible at all ;-)

Regards,
Philipp

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Q: How can I leave the mailing list?
A: See http://docs.miktex.org/faq/support.html#leavingml
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Security of MiKTeX package manager

Mark Yagnatinsky
If you're really paranoid, even style files are not safe unless you have
\write18 disabled.

On Fri, Apr 28, 2017 at 4:05 PM, Philipp <[hidden email]>
wrote:

> Hi all,
>
> as someone who's a bit paranoid concerning my computers' security, I
> was wondering how secure it is to install or update packages with
> MiKTeX package manager.
>
> >From what I have seen, packages are downloaded over http, not https.
> Are digital signatures or something alike applied?
> If not, the package download process seems vulnerable to
> man-in-the-middle attacks. While this probably isn't much of an issue
> for packages that contain fonts, styles or similar stuff, there are
> also some packages that include DLLs or even executable programs
> (e.g., BibTeX), which an attacker could replace with manipulated
> versions.
>
> I must admit that it is unlikely that someone would actually exploit
> this (if it is possible), but I would feel better if it wasn't
> possible at all ;-)
>
> Regards,
> Philipp
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Q: How can I leave the mailing list?
> A: See http://docs.miktex.org/faq/support.html#leavingml
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Q: How can I leave the mailing list?
A: See http://docs.miktex.org/faq/support.html#leavingml
Loading...