Gervase Markham wrote: > Nelson B wrote: >> One needs a trusted source AND a trusted channel to that source. > > Yes, although there's also a "herd immunity" feature, as I discuss below. > > At the moment, spotting things like the Wordpress download tarball > trojan took quite a while, because someone had to bother to check the > code against the published MD5sum manually - and who does that? Maybe > just you :-) > > If Link Fingerprints were being used, 15% or more of all downloads would > be checked automatically.
Hm, and where is this 15% coming from? Just another assumption? Note that we asked (per e-mail) the top 500 download sites, and most of them prefer to wait and see what Link Fingerprinting is and can do for them, because so far nobody really believes that it will do any good for them, but that it will add extra work, errors and costs them probably an unexpected amount of (extra) money. > The problem would have been spotted much, much > sooner. So even people without LF-supporting clients, and people against > whom an MITM is being attempted, get an indirect benefit. > > Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
