Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: secure downloading of patches (Re: Knocking Microsoft)

From: Cedric Blancher <blancher () cartel-securite fr>
Date: Sun, 29 Feb 2004 20:44:30 +0100
Le dim 29/02/2004 à 17:57, Martin Mačok a écrit :

You are true that PGP is a stronger protection from this point of view
but keep in mind that neither SSL nor PGP can protect us in the case
of the compromised end point -- the server or developper's workstation
in the case of SSL/TLS and the developper's workstation in the case of
PGP.


Developper's private key compromission is quite unlikely to happen,
although it is clearly possible, especially if we think to Valve case
(code source steal through developper station compromise).


From the other point of view, only SSL/TLS can protect you against the
attacks on the transfer itself. For example, the attacker can poison
your DNS cache and trick you into connecting to the site that does not
provide the patch (so you stay vulnerable).


True, this is definitly a good point I didn't think of.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: