Hi there,
On Thu, 18 Nov 1999, Ben Laurie wrote:
> Mark J Cox wrote:
> >
> > > > Oh really? How regularly do you you check that MSVCRT.DLL hasn't
> > > > been modified by an attacker? And how do you make that check?
> > >
> > > Simple! You compile it from the source.
> >
> > How do your check that your source hasn't been modified by an attacker?
> > How many people who use OpenSSL have even gone through 20% of the source
> > line-by-line?
>
> Check the PGP signature?
Yup, signatures are the only way. Making people trawl through the source
to OpenSSL would simply be cruel and inhumane. And as for the previous
example about msvcrt.dll ... well ... there has to be something in the
Geneva Convention about making people read that kind of code ...
Cheers,
Geoff
<tongue remains firmly in cheek>
----------------------------------------------------------------------
Geoff Thorpe Email: [EMAIL PROTECTED]
Cryptographic Software Engineer, C2Net Europe http://www.int.c2.net
----------------------------------------------------------------------
May I just take this opportunity to say that of all the people I have
EVER emailed, you are definitely one of them.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
