[Vm-dev] Re: SqueakSSL fixes

Paul DeBruicker pdebruic at gmail.com
Mon Feb 17 19:27:13 UTC 2014 

Hi Ron,

I agree with everything you said.  Its my undesrtanding that the use of the
PRNG data will be for things like the Seaside specific _s session keys and
_k callback keys and cookies.  Not any kind of secure streaming protocol. 
Since SqueakSSL now ships with Eliot's vm and the pharo vm it seems like a
convenient, better source than the Random class on those platforms.

Thanks

Paul



Ron Teitelbaum wrote
>> From: Paul DeBruicker
>> 
>> 
>> Göran Krampe wrote
>> >
>> > ...phew. Ok, let me know if you need anything more and ask questions.
>> >
>> > regards, Göran
>> 
>> 
>> Hi  Göran,
>> 
>> On the Seaside Dev list there was a discussion about accessing RAND_bytes
>> from
>> OpenSSL via the SqueakSSL plugin for secure key generation.  Is that
>> something
>> that would be possible to add to the SqueakSSL plugin at this time?
>> 
>> The discussion is here:
>> 
>> http://forum.world.st/Seaside-Security-td4742433.html
>> 
> 
> Hi Paul,
> 
> I may be missing something so maybe you could answer a question for me. 
> The best cryptography is the simplest for developers to implement.  I
> understand wanting to provide crypto components, that's what we did with
> the Cryptography Team.  SqueakSSL is a much better solution for adding
> security to end user (developers) of seaside.  The reason for this is that
> all of the technical details are left for the professionals.  SqueakSSL
> uses OpenSSL on Linux and the windows security implementation on windows,
> and the apple security implementation on mac.  You really can't get better
> than that.  SqueakSSL eliminates your need for PRNG, since it is used and
> implemented properly on each platform.  So given that, why do you need
> PRNG?  If you are implementing your own secure stream, you had better know
> what you are doing, in which case PRNG becomes less of an issue, since
> there are a lot of platform specific solutions.  
> 
> If you are sure you need it we did one in Cryptography which might be
> useful.  If you really feel like you need a proper platform specific
> random generator see the Croquet plugin and TCryptoRandom.  
> 
> Also if you are planning on using SSL on a Linux server I would highly
> recommend using STUD.  
> 
> All the best,
> 
> Ron Teitelbaum
> 
>> 
>> Thanks
>> 
>> Paul
>> 
>> 
>> 
>> --
>> View this message in context: http://forum.world.st/SqueakSSL-fixes-
>> tp4743244p4744392.html
>> Sent from the Squeak VM mailing list archive at Nabble.com.





--
View this message in context: http://forum.world.st/SqueakSSL-fixes-tp4743244p4744443.html
Sent from the Squeak VM mailing list archive at Nabble.com.

More information about the Vm-dev mailing list