Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: secure downloading of patches (Re: Knocking Microsoft)

From: Cedric Blancher <blancher () cartel-securite fr>
Date: Sun, 29 Feb 2004 14:38:08 +0100
Le sam 28/02/2004 à 23:33, Martin Mačok a écrit :

Yes, that was my point. The main issue here is authentication and
integrity -- you can achieve both with proper use of either SSL or
PGP.


Good point. SSL can provide a proper identification for download site.
However, this is not sufficient as legitimate site can get compromised
and its date archive trojaned, as it's been the case with OpenSSH two
years ago.


Regarding the use of encryption, you're not just making the data
secret (pointless in the case of public data). You are also securing
the communication channel so no third party sees exactly what patches
are you downloading and cannot trick you into downloading some junk
which could attack your patch management system (huge data,
decompression bombs or even exploits).


Yes.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: