Flaws in OpenSSL FIPS Object Module
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Dec 5 22:09:23 EST 2007
Ralf-Philipp Weinmann <weinmann at cdc.informatik.tu-darmstadt.de> writes:
>On Dec 3, 2007, at 16:51 , Paul Hoffman wrote:
>> Another interesting part is that open-source systems are much more
>> susceptible to being attacked by competitors (that is, having their
>> validation suspended) than are closed-source systems.
>
>this may have been true in the past. Enter tools like BinDiff [1] and BinNavi
>[2] and a skilled reverse engineer is able to shoot down you're closed-source
>implementation almost as quickly as one for which she has source (assuming
>she has binaries, of course).
You're misunderstanding the threat model. The problem here is that commercial
vendors are in a panic because the certification of free OSS security tools is
allowing all sorts of riff-raff onto the previously exclusive US government
purchasing gravy train. In order to keep the gravy train free of said riff-
raff, they've kept up a steady stream of objections to the certification based
on various nitpicks. While it's possible to say "There's something we noticed
here in the source code that requires the software to be ejected from the
train", it's a bit harder to say "We spent three months reverse-engineering
someone else's proprietary protected intellectual property and think we may
have found something".
Peter.
[1] Not my reference.
[2] Not my reference.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list