, 2001-12-19
It may be the next big thing in Trojan horse attacks: swapping bad code for good code in transit. Fortunately, there's a defense
Expand all |
Post comment
Detecting the Software Switcheroo
2001-12-20
Anonymous (1 replies)
Anonymous (1 replies)
1. you already have the public key to check the signature.
or
2. you can trust the network to get you the right public key.
#2 requires #1 for the keyserver, and requires that keyservers sign their requests for keys. To the best of my knowledge this is not the case.
This is a public-key bootstrapping issue, and we still haven't solved it, and so we'll still continue to get burned by it.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/columns/48/9346#9346