Aleph One / aleph1@dfw.net typed: ...
fc@all.net typed:
That's correct. Secure software has to have secure distribution in order to maintain its security when distributed through an untrusted channel. I think that Netscape uses an MD5 checksum which the members of this list seem to place unlimited trust in (incorrectly in my view, but that would be picking two nits with one keyboard entry).
Question: Does your software (your striped down http server, etc) do this? I bet not.
How much do you owe me? The differences between my secure http server and Netscape's browser are quite dramatic, so I think you deserve a fairly comprehensive answer. My get-only server cannot run outside applications, and hence does not have the vulnerability of Netscape's browser. Note also the distinction between a server and a browser. My get-only server is available in source form, is 80 lines long and thus easily understood, has been shown to meet security properties, is now in the process of being mathematically proven to meet those properties, and is published in a refereed journal which can be used to confirm its contents in detail. Hence, I do provide secure distribution through purely physical means. -- -> See: Info-Sec Heaven at URL http://all.net Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236