[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Netscape finally issuing md5sums/pgp signed binaries ? (was Re: NetScape's dependence upon RSA down for the count!)

>   I've been thinking about this recently for obvious reasons.  My concern
> is that if someone can attack your download of netscape, they could also
> attack your download of the program that validates netscape.  Is there
> really any way out of this one?
> 	--Jeff

I remember sometime in the last couple of years seeing a cert advisory that
said that people's checksumming programs were being replaced by ones that
did the normal checksumming except on compromised programs.  This was part
of one particular attack as I remember.

  /  These opinions are mine, and not Verity's (except by coincidence;).  \
 |                                                       (\                |
 |  Patrick J. Horgan         Verity Inc.                 \\    Have       |
 |  [email protected]        1550 Plymouth Street         \\  _ Sword     | 
 |  Phone : (415)960-7600     Mountain View                 \\/    Will    | 
 |  FAX   : (415)960-7750     California 94303             _/\\     Travel |