* Li, Yvonne wrote on Fri, Apr 18, 2008 at 23:46 -0400: > You have lots of good points. Thank you again. > > I work for AOL, developing cross platform SDK for instant messaging that > supports plugins. Plugins can be malicious. And AOL is responsible for > protecting users' identity and privacy. Considering our user base, a > trojan is more likely to target our users than to protect them.
So in short, you cannot trust the environment you run some SSL based application in, right? Because it is the same environment other plug-ins can do whatever they want? In that case I'm afraid you're lost. You cannot create a secure something inside a trojan horse environment I think. First, you application that verifies whatever can be modified when loading or replaced completely (who can replace libs, probably can also replace binaries). Second, your trust database (e.g. root CA certificate or alike) could be replaced (e.g. by intercepting the open/read system calls or whatever). Some malicious CA certficate could be put in place. I could imagine that this is easier than trojaning platform-dependent openssl libs in version-dependent internet tools and even would work for web browsers :) > What do the majority applications do on Unix if static linking > with openssl isn't suitable? For security reasons, I think here is should be suitable, because if there would be some security issue with openssl or any other used library or system package, even after the unix vendor / linux distributor online-update-mechanism installed a fixed openssl lib, a static linked application would still be vulnerable! oki, Steffen About Ingenico Throughout the world businesses rely on Ingenico for secure and expedient electronic transaction acceptance. Ingenico products leverage proven technology, established standards and unparalleled ergonomics to provide optimal reliability, versatility and usability. This comprehensive range of products is complemented by a global array of services and partnerships, enabling businesses in a number of vertical sectors to accept transactions anywhere their business takes them. www.ingenico.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
