1

According to Microsoft, "Never update your software on a public Internet connection."

So I have some questions.
1. What if a public Wi-Fi hotspot is the only Internet available, ever? Never update anything?
2. What happens if Windows or some other program is set to update automatically and attempts to do so while you are using a public Wi-Fi? Disable all automatic updates on all software?
3. Will VPN help to secure software updates? If so, how to go about it?

Thanks.

Improve this question
7
  • 2
    It seems like a stupid recommendation (assuming the software update protocol authenticated the incoming software updates, which it would be even stupider if it didn't). Of all of the things other people could observe you doing (your email, the websites you like to browse, etc...), the fact that you're updating your operating system is close to the least private I can think of!
    – Celada
    Commented Jun 23, 2013 at 16:06
  • They forgot to mention that you should always wear sunscreen when using Wi-Fi from an outdoor location. :)
    – Brent Bradburn
    Commented Jun 23, 2013 at 16:51
  • 1
    @Karan A MITM would only be possible if the update protocol does not actually authenticate the update. To paraphrase what I already said, it's very unlikely that they would have been so incompetent as to not authenticate updates. I mean, all you really need to do is either transfer it over https or else supply a lightweight detached signature. That being said, I guess Microsoft has been known to be really stupid before...
    – Celada
    Commented Jun 23, 2013 at 22:12
  • 1
    @Celada: They do authenticate, but Flame used a spoofed digital certificate created using MD5 collisions. Obviously they are not so idiotic as to not even have basic auth mechanisms in place. Needless to say they've now further tightened their security and revoked those certificates. The point is, there's nothing fundamentally wrong about their advice (and that's all it is really, advice, take it or leave it).
    – Karan
    Commented Jun 23, 2013 at 22:19
  • 1
    The MITM scenario is technically real, but how likely is it to happen? If I have to choose whether to update my Java through a public Wifi or skip the update, I know what I do: update. The chance of being hit by a Java Exploit is much much larger than the chance of me being the target of a MITM attack.
    – Jan Doggen
    Commented Jun 24, 2013 at 7:04

1 Answer 1

Reset to default
2

Like everything in security it is a balancing act of risk analysis. What is more likely to come back and bite you in the a$$? the chance that someone successfully performs a MITM attack on your updates, or that your unpatched system is attacked?

Personally, if I really had no option but public WiFi, I'd be updating on public WiFi.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .