Full Disclosure mailing list archives
Re: secure downloading of patches (Re: Knocking Microsoft)
From: Martin Mačok <martin.macok () underground cz>
Date: Sun, 29 Feb 2004 17:57:08 +0100
On Sun, Feb 29, 2004 at 02:38:08PM +0100, Cedric Blancher wrote:
The main issue here is authentication and integrity -- you can achieve both with proper use of either SSL or PGP.Good point. SSL can provide a proper identification for download site. However, this is not sufficient as legitimate site can get compromised and its date archive trojaned, as it's been the case with OpenSSH two years ago.
You are true that PGP is a stronger protection from this point of view but keep in mind that neither SSL nor PGP can protect us in the case of the compromised end point -- the server or developper's workstation in the case of SSL/TLS and the developper's workstation in the case of PGP.
From the other point of view, only SSL/TLS can protect you against the
attacks on the transfer itself. For example, the attacker can poison your DNS cache and trick you into connecting to the site that does not provide the patch (so you stay vulnerable). Martin Mačok _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Knocking Microsoft, (continued)
- Re: Knocking Microsoft madsaxon (Feb 27)
- Re: Knocking Microsoft William Warren (Feb 27)
- [OT] Re: Knocking Microsoft Robert Brockway (Feb 27)
- Re: [OT] Re: Knocking Microsoft Paul Schmehl (Feb 27)
- Re: [OT] Re: Knocking Microsoft martin f krafft (Feb 28)
- Re: [OT] Re: Knocking Microsoft Martin Mačok (Feb 28)
- Re: [OT] Re: Knocking Microsoft Rui Miguel Seabra (Feb 28)
- Re: [OT] Re: Knocking Microsoft bryce (Feb 28)
- secure downloading of patches (Re: Knocking Microsoft) Martin Mačok (Feb 28)
- Re: secure downloading of patches (Re: Knocking Microsoft) Cedric Blancher (Feb 29)
- Re: secure downloading of patches (Re: Knocking Microsoft) Martin Mačok (Feb 29)
- Re: secure downloading of patches (Re: Knocking Microsoft) Cedric Blancher (Feb 29)
- Re: [OT] Re: Knocking Microsoft Paul Schmehl (Feb 27)
- Re: [OT] Re: Knocking Microsoft Cedric Blancher (Feb 28)
- Re: [OT] Re: Knocking Microsoft Tim (Feb 28)
- Re: [OT] Re: Knocking Microsoft Paul Schmehl (Feb 29)
- OT: Re: Knocking Microsoft gadgeteer (Feb 27)
- Re: OT: Re: Knocking Microsoft Valdis . Kletnieks (Feb 27)
- Re: OT: Re: Knocking Microsoft gadgeteer (Feb 27)
- Re: Re: Knocking Microsoft Troy Solo (Feb 27)