[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] secure downloading of patches (Re: Knocking Microsoft)

To: Martin Mačok <martin.macok@xxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] secure downloading of patches (Re: Knocking Microsoft)
From: Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx>
Date: Sun, 29 Feb 2004 20:44:30 +0100

Le dim 29/02/2004 à 17:57, Martin Mačok a écrit :
> You are true that PGP is a stronger protection from this point of view
> but keep in mind that neither SSL nor PGP can protect us in the case
> of the compromised end point -- the server or developper's workstation
> in the case of SSL/TLS and the developper's workstation in the case of
> PGP.

Developper's private key compromission is quite unlikely to happen,
although it is clearly possible, especially if we think to Valve case
(code source steal through developper station compromise).

> From the other point of view, only SSL/TLS can protect you against the
> attacks on the transfer itself. For example, the attacker can poison
> your DNS cache and trick you into connecting to the site that does not
> provide the patch (so you stay vulnerable).

True, this is definitly a good point I didn't think of.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] secure downloading of patches (Re: Knocking Microsoft)
  - From: Martin Mačok

Prev by Date: Re: [Full-Disclosure] Pricelist
Next by Date: Re: [OT] Re: [Full-Disclosure] Knocking Microsoft
Previous by thread: Re: [Full-Disclosure] secure downloading of patches (Re: Knocking Microsoft)
Next by thread: Re: [OT] Re: [Full-Disclosure] Knocking Microsoft
Index(es):
- Date
- Thread