[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comparing PGP to Symantec's Secret Stuff
Vin,
Having worked for those multinationals and defense
contractors, I've seen them buy new products with serious weaknesses
in key generation, with year 2000 problems, with stream ciphers used
to protect stored data--keyed the same way each time. I've seen them
use code that sent cleartext where it should have been encrypting on
the wire.
I could retire a rich man if I never wanted to come back to
the US.
Do due dilligence yourself. Read the snake oil faq. Insist
on speaking to someone at the vendor with two brain cells to rub
together. If they claim Acme bought it so you should, too, insist on
speaking to the security folks at Acme who did the eval. Its your
money. Its their security product. Feel free to evaluate it right.
If the vendor won't cooperate, go elsewhere.
The product I'm building uses 'brand name' cryptography--
libraries and tools from well known sources. It takes a bit of speed
away (I'd have prefered to use X9.17 over SSL for our bits on the
wire, but I couldn't find a peer reviewed X9.17 library out there.)
Adam
Vin McLellan wrote:
| The lack of published source code is an issue, but if you see such a
| product being purchased by multinationals or US defense contractors you
| can be certain the implementation -- which is the real arena of
| vulnerability, once the algorithm is chosen -- has been carefully studied
| by informed cryptographers. (For non-American product, look for similar
| purchases by government-connected agencies in the vendor's nation.)
--
"It is seldom that liberty of any kind is lost all at once."
-Hume