Runesabre wrote: > > > I appreciate the replies from everyone. You have all > been very helpful! (/wave Markku and Tim) > > I'm not a security expert so I'm learning as I go. > What I can't really understand is how a client-side > application can be completely open source and secure > at the same time without giving away its encryption > techniques. I can't afford for every customer to be > issued a SecureId fob like I used in the workplace and > any secret "key" transmitted over the 'net can simply > be intercepted and used with full knowledge of how the > key works since access to the source code is > available. My customers aren't locked to using their > account from a specific machine. > > Do open source web servers include the full source to > their encryption routines? What about SSL? Is the > source to SSL open to the public? > > Thanks again for the responses. > > Kirk Black > A keys pair is used. One key encrypts the message, and a second key decrypts the message. The thing is, the key that encrypts the message can not be used to decrypt it. Even with the encryption source code, and one key, it is not practical to decrypt the message. (It can be done with enought CPU time, but it is not practical.) You may want to read up on openSSL or GnuPG - you can get the full source code for them. You can use openSSL to set up a secure connection for sending things like usernames and passwords. Just capturing the communications does not help, because the encrypted stream is different every type. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!
