[TriLUG] Fwd: OpenSSH Security Advisory: Trojaned Distribution Files
Dan Chen
crimsun at email.unc.edu
Thu Aug 1 19:10:40 EDT 2002
On Thu, Aug 01, 2002 at 06:04:14PM -0400, Mike Mueller wrote:
> What if MD5s were signed and sent to trusted people that published the MD5s?
> Then one could check for agreement amoungst 2 or more MD5s. Multiple MD5
> locations would be harder to coordinate an attack on. MD5 are small to
> download and would add negligible overhead to the entire process. This is
> different from pulling MD5s from different mirror sites that would simply
> reflect the original compromised MD5.
Hmm, more points to compromise, surely. That makes it more of a pain for
the kiddie, but it still relies to a great extent on a "web of trust"
for those trusted people. Better than currently, certainly.
--
Dan Chen crimsun at email.unc.edu
GPG key: www.unc.edu/~crimsun/pubkey.gpg.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20020801/d7f01829/attachment.pgp>
More information about the TriLUG
mailing list