* Kenneth Goldman wrote on Sun, Apr 11, 2010 at 15:36 -0400: > owner-openssl-us...@openssl.org wrote on 04/11/2010 01:38:14 PM: > > * Kenneth Goldman wrote on Fri, Apr 09, 2010 at 08:12 -0400: > > > I notice that the tarballs also include a SHA1 digest. > > > What's the point? > > > > To have a check whether the FTP download was successful to > > avoid accidentally using corrupt files, a file integrity > > check with a checksum is quite common. > > Aha. So it's just a double check on ftp? It's not trying to > protect against an attacker targeting the openssl site or the > download process?
(I cannot tell the intention of the checksum, because I don't know the involved processes, but I think it is wrong to take it as authenticity check). I think, to protect against malicious OpenSSL source code you have to retrieve the analyzed and approved version from the security lab you trust and appointed (ensuring authenticity by e.g. cryptographic means) and/or to verify the diff to the last checked version. Otherwise an attack to let's say the CVS server could succeed (if done well, checksum of announcement could even `proof' this malicious modification `authentic', if the attack had been done in a way remaining unnoticed by OpenSSL release process). oki, Steffen About Ingenico: Ingenico is a leading provider of payment solutions, with over 15 million terminals deployed in more than 125 countries. Its 2,850 employees worldwide support retailers, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. More information on http://www.ingenico.com/. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
