1995-10-24 - Does your software?

Header Data

From: fc@all.net (Dr. Frederick B. Cohen)
To: aleph1@dfw.net (Aleph One)
Message Hash: ee7353a029040fde6d2224d7cdbb5855b969ce9a471fb89202e4ace6de12465d
Message ID: <9510241549.AA19649@all.net>
Reply To: <Pine.SUN.3.90.951024083716.7258A-100000@dfw.net>
UTC Datetime: 1995-10-24 15:52:20 UTC
Raw Date: Tue, 24 Oct 95 08:52:20 PDT

Raw message

From: fc@all.net (Dr. Frederick B. Cohen)
Date: Tue, 24 Oct 95 08:52:20 PDT
To: aleph1@dfw.net (Aleph One)
Subject: Does your software?
In-Reply-To: <Pine.SUN.3.90.951024083716.7258A-100000@dfw.net>
Message-ID: <9510241549.AA19649@all.net>
MIME-Version: 1.0
Content-Type: text


Aleph One / aleph1@dfw.net typed:
...
> fc@all.net typed:
> > That's correct.  Secure software has to have secure distribution in
> > order to maintain its security when distributed through an untrusted
> > channel.  I think that Netscape uses an MD5 checksum which the members
> > of this list seem to place unlimited trust in (incorrectly in my view,
> > but that would be picking two nits with one keyboard entry).
> 
> Question: Does your software (your striped down http server, etc)
> do this? I bet not.

How much do you owe me?

The differences between my secure http server and Netscape's browser
are quite dramatic, so I think you deserve a fairly comprehensive answer.

My get-only server cannot run outside applications, and hence does not
have the vulnerability of Netscape's browser.  Note also the distinction
between a server and a browser.

My get-only server is available in source form, is 80 lines long and
thus easily understood, has been shown to meet security properties, is
now in the process of being mathematically proven to meet those
properties, and is published in a refereed journal which can be used to
confirm its contents in detail.  Hence, I do provide secure distribution
through purely physical means. 

-- 
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236




Thread