[EMAIL PROTECTED] wrote:
>
> Has anyone written anything about the problem of using
> OpenSSL in an untrusted environment?
Anything in an untrusted environment is in the hands of the enemy.
> (Forget about signed digital money for this question).
Well, it would certainly make this topic more interesting if you ignore
the obvious solution.
> Some obvious holes for a hostile user...
The entire point of authentication-oriented cryptography (signing,
hashes and so forth) is to make it so tampering invalidates the
transaction. Privacy-oriented encryption aims to protect both
participants, so it is generally against either of their interests to
reduce it.
What you've proposed is a situation where someone has made some woefully
typical application security design errors. If you wish to point out
that badly designed security will not be saved by misapplied technology,
then, yes, you have a point. I'd like to think it was an obvious point,
but I know better from experience. On the other hand, I think that the
openssl audience is probably more aware of these issues than most.
Most likely, you're preaching to the choir and that is why you don't see
this discussed much here.
-- Charles
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
