lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1078061888.9054.16.camel@anduril.intranet.cartel-securite.net>
From: blancher at cartel-securite.fr (Cedric Blancher)
Subject: secure downloading of patches (Re: Knocking
	Microsoft)

Le sam 28/02/2004 ? 23:33, Martin Ma?ok a ?crit :
> Yes, that was my point. The main issue here is authentication and
> integrity -- you can achieve both with proper use of either SSL or
> PGP.

Good point. SSL can provide a proper identification for download site.
However, this is not sufficient as legitimate site can get compromised
and its date archive trojaned, as it's been the case with OpenSSH two
years ago.

> Regarding the use of encryption, you're not just making the data
> secret (pointless in the case of public data). You are also securing
> the communication channel so no third party sees exactly what patches
> are you downloading and cannot trick you into downloading some junk
> which could attack your patch management system (huge data,
> decompression bombs or even exploits).

Yes.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ