From: Ben Laurie <ben@gonzo.ben.algroup.co.uk>
Date: Wed, 27 Nov 1996 00:15:54 -0800 (PST)
To: Douglas Barnes <cman@c2.net>
Subject: Re: SAFEPASSAGE BRINGS STRONG CRYPTO TO WEB BROWSERS WORLDWIDE
In-Reply-To: <2.2.32.19961126212424.00cba538@blacklodge.c2.net>
Message-ID: <9611270712.aa22352@gonzo.ben.algroup.co.uk>
MIME-Version: 1.0
Content-Type: text/plain


Douglas Barnes wrote:
> 
> 
> >>       SAFEPASSAGE BRINGS STRONG CRYPTO TO WEB BROWSERS WORLDWIDE
> >
> >BTW, this doesn't come with source code.
> >
> 
> No, it does not come with source code. Site licenses and OEM
> bundling packages will come with a source code option. Partners
> who work with us in internationalizing the product may also
> receive source code. However, it did not seem to be useful or
> appropriate for a consumer-level product like this.
> 
> We are trying to find a happy medium between making sure that the
> security is well-reviewed, and doing things that make business
> sense and map onto standard industry practice for selling software
> products. 

Really? Who reviewed the security of SafePassage?

> 
> Note that SafePassage uses SSLeay for its encryption and SSL
> protocol layer; SSLeay has publicly available source code, and has 
> been extensively reviewed.

I've never seen a security review of SSLeay, and if anyone gave it a clean bill
of health, they didn't have their eye on the ball. Note, I'm not knocking
SSLeay here, it is a wonderful lump of code, but it hasn't been written with
security in mind (IMHO).

Cheers,

Ben.

-- 
Ben Laurie                Phone: +44 (181) 994 6435  Email: ben@algroup.co.uk
Freelance Consultant and  Fax:   +44 (181) 994 6472
Technical Director        URL: http://www.algroup.co.uk/Apache-SSL
A.L. Digital Ltd,         Apache Group member (http://www.apache.org)
London, England.          Apache-SSL author