On Friday 06 April 2007 11:42, Jan Karjalainen wrote: > ... > > > That doesn't change the fact that bittorrent in itself doesn't have > > security. It also doesn't change the fact that a checksum is not a > > security feature. It only helps you ensure that what you get is > > what the other side sent. In the end, you're still stuck with the > > question "do I trust the sender". Bittorrent doesn't help you with > > that > > Which protocol does that, I'd like to know... > In the end, you have to trust to source, right?
Of course. But there's a separate issue, and that is the matter of knowing that the provider is who them claim to be. Piggybacking malware on the name of a trusted source is a viable means for injecting an exploit, if the distribution system does not preclude such misrepresentations. That's what cryptographic identity certificates are for. One would hope that if BitTorrent is going to be widely used to distribute critical resources such as software it would be endowed with the ability to propagate and verify these signatures. Or does BitTorrent already incorporate certificate validation? > Unless it's source code, then you can check out the code for > yourself. True, if you're a good enough programmer and have the time. For practical purposes, virtually all users must trust someone else to certify that a given piece of software if free of deliberately added vulnerabilities. And that does not reflect bugs with security impacts--they're a separate issue--nor does such a professional certification constitute a guarantee. C'est la vie. Randall Schulz -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
