[Cryptography] OpenSSL CSPRNG work
iang
iang at iang.org
Sat Jul 1 09:00:36 EDT 2017
On 29/06/2017 02:03, Ron Garret wrote:
> Security is all about avoiding hypothetical problems that might never occur.
Security is about risk analysis. Take the likelihood of the attack and
mulitply it by the cost of damage, both for your chosen users. Then
order them according to largest first. Start at the top. Ignore the bottom.
> Having an attacker insert a back door into a /dev/urandom driver is not an unreasonable threat model for some people.
Anyone who has that threat model generally has a squillion other
problems. I'd say OpenSSL security is for those who are the vast
majority of OpenSSL users - the browsers and servers.
iang
More information about the cryptography
mailing list