[Cryptography] [FORGED] Re: OpenSSL and random
Ben Laurie
ben at links.org
Tue Nov 29 14:04:53 EST 2016
On 29 November 2016 at 18:20, Salz, Rich <rsalz at akamai.com> wrote:
> Tens of thousands of individual developers and sysadmins have downloaded, built, and installed OpenSSL. A handful of distributions also do that, and bundle it with their release. For a variety of understandable reasons, said distro's are always out of date.
>
>> Real developers are not generally crypto geeks. They need an alarm bell like this to go off to let them know when something is wrong.
>
> And if the alarm bell is "apache won't start" they will throw out openssl or swamp us with email or perhaps fall back to plaintext.
>
> Servers do not have keyboards or screens that can be scraped for a source of entropy.
But what they do have is instruction counters and loads of devices
that take a random amount of time to initialise. I demonstrated quite
a while back that there's enough entropy at startup just from that to
seed your RNG, even in quite cut-down machines, and in VMs.
More information about the cryptography
mailing list