lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040229165708.GG9276@josefina.dcit.cz>
From: martin.macok at underground.cz (Martin Mačok)
Subject: secure downloading of patches (Re: Knocking Microsoft)

On Sun, Feb 29, 2004 at 02:38:08PM +0100, Cedric Blancher wrote:

> > The main issue here is authentication and integrity -- you can
> > achieve both with proper use of either SSL or PGP.
> 
> Good point. SSL can provide a proper identification for download
> site. However, this is not sufficient as legitimate site can get
> compromised and its date archive trojaned, as it's been the case
> with OpenSSH two years ago.

You are true that PGP is a stronger protection from this point of view
but keep in mind that neither SSL nor PGP can protect us in the case
of the compromised end point -- the server or developper's workstation
in the case of SSL/TLS and the developper's workstation in the case of
PGP.

>From the other point of view, only SSL/TLS can protect you against the
attacks on the transfer itself. For example, the attacker can poison
your DNS cache and trick you into connecting to the site that does not
provide the patch (so you stay vulnerable).

Martin Ma?ok


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ