[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1078061888.9054.16.camel@anduril.intranet.cartel-securite.net>
From: blancher at cartel-securite.fr (Cedric Blancher)
Subject: secure downloading of patches (Re: Knocking
Microsoft)
Le sam 28/02/2004 ? 23:33, Martin Ma?ok a ?crit :
> Yes, that was my point. The main issue here is authentication and
> integrity -- you can achieve both with proper use of either SSL or
> PGP.
Good point. SSL can provide a proper identification for download site.
However, this is not sufficient as legitimate site can get compromised
and its date archive trojaned, as it's been the case with OpenSSH two
years ago.
> Regarding the use of encryption, you're not just making the data
> secret (pointless in the case of public data). You are also securing
> the communication channel so no third party sees exactly what patches
> are you downloading and cannot trick you into downloading some junk
> which could attack your patch management system (huge data,
> decompression bombs or even exploits).
Yes.
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
Powered by blists - more mailing lists