0

It has been brought up in the past that package managers such as pip are vulnerable to man in the middle attacks (see https://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/). This is due to all packages being downloaded through HTTP rather than HTTPS. To the best of my knowledge I do not believe shasums of the packages are verified as well.

I was curious if Homebrew packages and casks are vulnerable to MITM attacks? I know that shasums of packages are verified once downloaded. This indicates that if a man in the middle attack were to occur, it might be possible to detect this. Does Homebrew verify SSL cerificates and use an HTTPS connection?

--- EDIT ---

It should be specified that the primary concern of MITM attacks is on public networks.

Harrison G
  • 67
  • 6
  • 2
    that reddit post is 9 years old! that being said it looks like the issue has since been patched: https://bugs.launchpad.net/ubuntu/+source/python-pip/+bug/1015477 – CaffeineAddiction Aug 23 '21 at 20:42
  • 1
    similarly, brew also makes use of SSL for verification, but given the correct commandline options I believe both pip and brew can be told to ignore certs. – CaffeineAddiction Aug 23 '21 at 20:42

0 Answers0