[Cryptography] [FORGED] Re: OpenSSL and random
watsonbladd at gmail.com
Tue Nov 29 14:08:21 EST 2016
On Nov 29, 2016 11:00 AM, "Salz, Rich" <rsalz at akamai.com> wrote:
> Tens of thousands of individual developers and sysadmins have downloaded,
built, and installed OpenSSL. A handful of distributions also do that, and
bundle it with their release. For a variety of understandable reasons, said
distro's are always out of date.
> > Real developers are not generally crypto geeks. They need an alarm
bell like this to go off to let them know when something is wrong.
> And if the alarm bell is "apache won't start" they will throw out openssl
or swamp us with email or perhaps fall back to plaintext.
> Servers do not have keyboards or screens that can be scraped for a source
They have RDRAND. Silent failure is not a good idea. Can any user of
OpenSSL be sure the random number generator is properly set up?
> Senior Architect, Akamai Technologies
> Member, OpenSSL Dev Team
> IM: richsalz at jabber.at Twitter: RichSalz
> The cryptography mailing list
> cryptography at metzdowd.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography