VLC Update Security Warning - Suspicious Update Sites

Discussion about forum rules, new moderators, website content, website layout, VideoLAN artwork etc..
Forum rules
Please read the forum's rules carefully before posting. This forum should not be used to post VLC usage related questions.
PaulDurham
New Cone
New Cone
Posts: 4
Joined: 25 Jan 2021 21:06

VLC Update Security Warning - Suspicious Update Sites

Postby PaulDurham » 25 Jan 2021 21:14

I am running VLC 3.0.11 Vetinari on Windows 10 Enterprise.
I was prompted by VLC to update to 3.0.12 with the following text: "VideoLAN and the VLC development team present VLC 3.0.12 "Vetinari".
VLC 3.0.12 is a small update to VLC 3.0 branch, improving support for Blu-Rays, RIST, DASH, WMV and Youtube, fixing some graphic drivers bugs and some security issues."

After clicking "Yes" I am presented with the following warning. Clearly any users receiving this warning should not proceed. Is this a VLC codebase supply chain attack?

1st attempt:
You attempted to reach softlibre.unizar.es. However, the security certificate presented by the server is unknown and could not be authenticated by any trusted Certificate Authority.
The problem may stem from an attempt to breach your security, compromise your privacy, or a configuration error.
If in doubt, abort now.

2nd attempt:
You attempted to reach ftp.fau.de. However, the security certificate presented by the server is unknown and could not be authenticated by any trusted Certificate Authority.
The problem may stem from an attempt to breach your security, compromise your privacy, or a configuration error.
If in doubt, abort now.

Subsequent update attempts display different sites names, all with the same warning.

PaulDurham
New Cone
New Cone
Posts: 4
Joined: 25 Jan 2021 21:06

Re: VLC Update Security Warning - Suspicious Update Sites

Postby PaulDurham » 26 Jan 2021 10:51

I am unclear as to why my post was moved to "Contribute and help the VideoLAN project" without any comments. It would be good to understand why this security warning is being experienced.

Lotesdelere
Cone Master
Cone Master
Posts: 9971
Joined: 08 Sep 2006 04:39
Location: Europe

Re: VLC Update Security Warning - Suspicious Update Sites

Postby Lotesdelere » 27 Jan 2021 08:07

Moved to the "Forum and Website" section as it might be linked to some web redirection.
I have no idea about what is going on there, let's hope someone in charge will react and inform us soon.

PaulDurham
New Cone
New Cone
Posts: 4
Joined: 25 Jan 2021 21:06

Re: VLC Update Security Warning - Suspicious Update Sites

Postby PaulDurham » 27 Jan 2021 09:41

I reported this to VLC's published security email address (https://www.videolan.org/security/) on 2021-1-25 at 22:16 UTC+2. I have not had a response as yet.

User avatar
InTheWings
Developer
Developer
Posts: 1275
Joined: 07 Aug 2013 13:15
VLC version: crashing
Operating System: Linux
Contact:

Re: VLC Update Security Warning - Suspicious Update Sites

Postby InTheWings » 27 Jan 2021 16:41

VLC updates are mirrored over 3rd party servers.
They can have bogus or untrusted certificates.
VLC is designed to update over insecure channel.
Update signature is checked after download.
That's not a problem.
:!: If you want your problem to be solved :
* First read troubleshooting guide VSG:Main
* Always provide verbose LOGS ! (command line or from gui)
* Always check your issue against a developer build from Nightly Build of VLC
* Tell us when your problem is solved !

PaulDurham
New Cone
New Cone
Posts: 4
Joined: 25 Jan 2021 21:06

Re: VLC Update Security Warning - Suspicious Update Sites

Postby PaulDurham » 28 Jan 2021 11:19

@InTheWings, I agree that update servers may have bogus or untrusted certificates. That is why VLC validates the certificates before doing the download and why one should NOT accept a download from a site with a bad certificate. This is why I ask what is causing so many (every, in my case) update sites to report a problematic certificate. Either all the sites that my client is contacting are malicious, or all the sites have expired certs, or my client has code in it that is forcing it to update from non-VLC-approved sites. I can't tell which is the case.
Hence VLC Security should respond after investigating. I have notified them via email too.


Return to “Forum, Website and Artwork discussion”

Who is online

Users browsing this forum: No registered users and 5 guests