[Cryptography] [FORGED] Re: OpenSSL and random
mitch at niftyegg.com
Tue Nov 29 21:04:56 EST 2016
On Tue, Nov 29, 2016 at 10:20 AM, Salz, Rich <rsalz at akamai.com> wrote:
> Tens of thousands of individual developers and sysadmins have downloaded,
> built, and installed OpenSSL. A handful of distributions also do that, and
> bundle it with their release. For a variety of understandable reasons, said
> distro's are always out of date.
> > Real developers are not generally crypto geeks. They need an alarm bell
> like this to go off to let them know when something is wrong.
> And if the alarm bell is "apache won't start" they will throw out openssl
> or swamp us with email or perhaps fall back to plaintext.
> <cryptography at metzdowd.com>
Invite the world to get it correct add worthy options to examples on
Lots of bad code starts there... so add some good code.
google for: site:stackexchange.com random urandom dev/random dev/urandom
sample the offered solutions.
As a group a small group here could ask and answer questions that could be
Sure that is a shill game but a valuable way to share known solutions and
OpenSSL could have a go-get-rand() function that is #ifdef rich and does
right things. For the systems that ./configure does not find worthy
tools have a configure option that is a lot like $HobbledInsecureMachine
use internet timeouts and other "weak solutions".
For blocking sources read a small number of bits at a time and time
them each read to know how sluggish the application might feel. Stop with
and seed a PNRG with the TRN set you have and local environment...
Blocking reads are the bane of programmers... as are hidden buffers as
T o m M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cryptography