Hacker News new | past | comments | ask | show | jobs | submit login

I have been a long time Visor/TotalTerminal user and wanted to try iTerm2 on 10.11 but was concerned with its use of the Sparkle updater framework. I could find no sign through all of my research if confirm if updates are performed through https instead of http and I declined to install it. I also couldn't find a way to contact the anyone to ask, so I'm glad you posted. So? What does it use? Don't you think this may be worth noting on the announcement or changelog?



Yep, https. Look at the last two URLs at the very end of the file:

https://github.com/gnachman/iTerm2/blob/master/plists/releas...

Likewise, all HTTPS here:

http://iterm2.com/appcasts/testing3.xml

If you're on Mac OS 10.11, we don't disable app transport security, so the OS prevents us from making HTTP requests at all.


OK. Thanks.

And what about the risk of parsing file:// and ftp:// and other protocols inside the WebView component What assurances can you give that there is not security flaw on the server that allows replacing XML file?


Why are you concerned with Sparkle? Is it because it's a third party library or whether or not iTerm2 makes HTTPS updates?

It seems a little debugging with LittleSnitch/Charles would glean an answer how the requests are made and what, if anything else is. Perhaps a ticket https://iterm2.com/bugs is warranted.


Well, if you hadn't heard http://arstechnica.com/security/2016/02/huge-number-of-mac-a...

I would just like to know before I install. I don't think it is too unreasonable of a prerequisite.


Thank you for this. I had not.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: