Hacker News new | past | comments | ask | show | jobs | submit login

Very nice writeup!

It contains a link to Avast's Coordinated Vuln Disclosure site: https://www.avast.com/coordinated-vulnerability-disclosure and this has a link to Avast PGP key that's served via unencrypted HTTP: http://virfile.avast.com/viruslab/avast-bugs-pgp-key.txt Not only that, the key is a weak 1024 bit DSA key :(




I'm hoping this isn't a dumb question, but why does it matter that a public key is public-facing and unencrypted?


If someone intercepted the communication, they could swap the Avast key for their own, allowing them to decrypt your message.


What jurgemaister said. If you don't have another trust mechanism (like Web of Trust) to validate if this is a correct key then HTTPS gives at least some assurance that no intermediaries between you and avast changed the key material.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: