I first sent this from the wrong email address. My apology.

On Fri, 28 Oct 2016 08:24 +0100 (BST), you wrote:
> > When downloading ICS and the OpenSSL binaries you provide, I've
> > never been able to find any sig, sha, or md5 files for checking
> > authenticity.
> ICS itself is source code, so in theory is not a security risk.

Source code is subject to the same concerns as binaries. When the SSL 
code was added to ICS years back, security became a concern.

> We don't provide any authentication for our builds of the OpenSSL tools
> because no-one has ever asked, and we don't have the means to easily
> automate it.  Doing so would involve time better spent supporting ICS.
> You don't have to use the ICS build OpenSSL tools, there are other
> Windows versions out there you can use instead.
> One thing that could be done with a new command batch file is to
> digitally sign the OpenSSL DLLs, which you can already do for your own
> customers.

You're right. All that's required is a batch file. I PGP sign all my 
source and binaries. It's required. Your ICS and OpenSSL DLLs are 
included in my releases, and it makes me a little uneasy signing for 
your work as I cannot say I know for a fact these binaries came from the 
original source code or aren't otherwise tampered with. The original 
OpenSSL files you downloaded were signed. Then you don't sign. Then I do 
sign. You're sort of a broken link in the security chain.

I have always trusted you guys implicitly, I feel quite certain 
everything is fine. I will continue to trust you. I appreciate your very 
long and most excellent work. I've been with you since, I think, 1999.

> But ICS does have an authenticode certificate and is not a
> company so might have trouble actually buying one (they are expensive)
> so they'd probably need to be signed by my company as Magenta Systems
> Ltd.  But at least that would protect against tampering.

I'm not sure about your authenticode cert and how the user tests it. 
I've seen them available and I know they're expensive. I'm guessing this 
is for your commercial software. It's probably not the best choice for 
this application.

In the open source world, PGP sigs are universally accepted for this 
purpose. All that's required is the GPG program and creation of a key 
owned by the person signing the release.

I know this is something you haven't considered previously. Early on, 
your work had no security implications at all. I can understand and have 
basically overlooked this all along.

Taking this step would be an important and needed service to all who use 
your ICS/OpenSSL, but if this is too much for you right now, I hope you 
can work it in at some time in the future.


To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to