I first sent this from the wrong email address. My apology. On Fri, 28 Oct 2016 08:24 +0100 (BST), you wrote: > > > When downloading ICS and the OpenSSL binaries you provide, I've > > never been able to find any sig, sha, or md5 files for checking > > authenticity. > > ICS itself is source code, so in theory is not a security risk.
Source code is subject to the same concerns as binaries. When the SSL code was added to ICS years back, security became a concern. > We don't provide any authentication for our builds of the OpenSSL tools > because no-one has ever asked, and we don't have the means to easily > automate it. Doing so would involve time better spent supporting ICS. > > You don't have to use the ICS build OpenSSL tools, there are other > Windows versions out there you can use instead. > > One thing that could be done with a new command batch file is to > digitally sign the OpenSSL DLLs, which you can already do for your own > customers. You're right. All that's required is a batch file. I PGP sign all my source and binaries. It's required. Your ICS and OpenSSL DLLs are included in my releases, and it makes me a little uneasy signing for your work as I cannot say I know for a fact these binaries came from the original source code or aren't otherwise tampered with. The original OpenSSL files you downloaded were signed. Then you don't sign. Then I do sign. You're sort of a broken link in the security chain. I have always trusted you guys implicitly, I feel quite certain everything is fine. I will continue to trust you. I appreciate your very long and most excellent work. I've been with you since, I think, 1999. > But ICS does have an authenticode certificate and is not a > company so might have trouble actually buying one (they are expensive) > so they'd probably need to be signed by my company as Magenta Systems > Ltd. But at least that would protect against tampering. I'm not sure about your authenticode cert and how the user tests it. I've seen them available and I know they're expensive. I'm guessing this is for your commercial software. It's probably not the best choice for this application. In the open source world, PGP sigs are universally accepted for this purpose. All that's required is the GPG program and creation of a key owned by the person signing the release. I know this is something you haven't considered previously. Early on, your work had no security implications at all. I can understand and have basically overlooked this all along. Taking this step would be an important and needed service to all who use your ICS/OpenSSL, but if this is too much for you right now, I hope you can work it in at some time in the future. Regards, Richard -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
