Hello World
Chris Angelico
rosuav at gmail.com
Mon Dec 22 04:01:25 EST 2014
On Mon, Dec 22, 2014 at 7:52 PM, Marko Rauhamaa <marko at pacujo.net> wrote:
> Chris Angelico <rosuav at gmail.com>:
>
>> Level 0: Why implement your own crypto?!?
>
> Licensing concerns come to mind.
>
> For example, the reference implementations of MD5 [RFC1321] and SHA1
> [RFC3174] are not in the public domain.
Which would you prefer? Something with licensing restrictions, or
something that's either outright buggy, completely insecure due to
something you didn't notice, or maybe has an unnoticed side-channel
attack that leaks your keys? While these can happen with well-known
libraries like libssl, they also get patched; when Heartbleed went
public, updates to the affected versions were available pretty
quickly, but if you had your own implementation, someone might be
leaking your keys without your knowledge and you have to fix it
yourself... if you ever notice.
But we're somewhat off topic now...
ChrisA
More information about the Python-list
mailing list