2008/8/4 NoOp <[EMAIL PROTECTED]> <snip> > > > There will always be hacks for security, and like you point out digital > certs are generally considerably more secure than a standard md5. But > again, I think that the issues relating to signed downloads from OOo is > extending the signatures out to the mirrors etc. Even major linux > distributions are rarely, if ever offered with digital certs. I suppose > the "EvilGrade Exploit" as decribed can and will work, I suspect it is > more a "proof of concept" than active, but it never hurts to take > measures to protect against it.
I have to say I don't see the problem with mirrors. The signed file and the certificate used to check the signature are seperate entities. The server from which you get the signed file doesn't need a certificate. The server from which you get the certificate doesn't *need* a certificate but it's nice/reassuring to get a certificate from a trusted source. But the main point is that the certificate certainly doesn't have to come from the mirror. > > Questions such as those by the original poster are probably better > addressed to the OOo security team rather than via user > comment/speculation. See: > http://www.openoffice.org/security/ > [EMAIL PROTECTED]<http://www.openoffice.org/security/[EMAIL PROTECTED]> > ] > http://www.openoffice.org/security/bulletin.html > > Let's hope they're eavesdropping ;-) -- Harold Fuchs London, England Please reply *only* to [email protected]
