On Mon, Nov 18, 2013 at 1:25 AM, Masataka Ohta <
mohta(_at_)necom830(_dot_)hpcl(_dot_)titech(_dot_)ac(_dot_)jp> wrote:
Phillip Hallam-Baker wrote:
Not unless you compile your browser from source and verify the source
each
time you compile.
Wrong, because your compiler may also be compromised.
http://en.wikipedia.org/wiki/Backdoor_%28computing%29
Thompson's paper describes a modified version of the Unix C
compiler that would:
Put an invisible backdoor in the Unix login command
when it noticed that the login program was being
compiled, and as a twist
Also add this feature undetectably to future compiler
versions upon their compilation as well.
The attack is easily defeated these days because we have time stamp
authorities. I don't think that the compilers I use are smart enough to put
a back door in code written after they were.
They have demonstrated an ability to hide compromise
pretty well.
See above. I know better than you how to hide it.
The paper is hardly obscure. I generally assume people have read freshman
Comp Sci
Assuming active MITM attacks both on ISP chains and CA chains, the
attacks on PKI always suceed.
Subpoenaing the software providers and the CAs are two different issues.
Google could not credibly claim that its business would be destroyed if
PRISM was exposed but
Are you saying that it's OK even though google's software business
has damaged a lot?
Note that google also has cloud provider business, which is also
damaged a lot.
It is a much trickier case because any damage comes from the risk of using
the unconstitutional powers not from having exercised them. The cause of
action is nowhere near as clear cut as it would be if a court exceeded its
powers and granted an injunction requiring a CA to make a
misrepresentation.about the identity of a certificate holder.
--
Website: http://hallambaker.com/