There are a lot of people involved in the build process. And a much smaller number of people involved in the development of specific portions of code. If you can isolate your security concerns to those areas (still aspirational) you can reduce your trusted dev base.
-
-
I’m confused now. I thought you were arguing that there were vulns that could only be exploited by one side, a la Dual EC.
-
Yes, you understand correctly. Who else can exploit the example I gave other than the vendor?
- 25 more replies
New conversation -
-
-
The enterprise or edtech middlebox vendor can exploit it.
Along with everyone their static keys leaked to. 
-
Rich, come on, are you seriously arguing I can't design a bug only I can exploit? Fine, the strcpy() only happens after the embedded PGP clearsign signature is verified.

- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
