Technical Note
Copyright Notice
Copyright © 2001 Brendon J. Wilson.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".
Table of Contents
Copyright Notice 2
Overview 4
Origin of this Document 4
Intended Audience 4
Relation to Other Systems 4
Detailed Description 5
Requirements 5
Obtaining Source Code 5
Configuring the Client Applets 5
Running the Applets 6
Security Restrictions 6
GNU Free Documentation License 7
References 8
Revision History 9
Overview
This document outlines methods for reviewing the activity of the HushMail applet in an integrated development environment for the purposes of reviewing the activities of the applet as part of a formal or informal security audit. The configuration information presented here enables a developer to use the publicly available source code for the HushMail applet and a live HushMail server to exercise all aspects of the application’s functionality; this is required to encourage peer review, while keeping the code for the server side component of the HushMail application private.
Origin of this Document
Originally the contents of this document were created to train new developers; however, given the importance of public review of the security aspects of the application, I’ve retooled the document for public consumption.
Any developers who wish to analyze the operation of the HushMail application, but do not have the benefit of access to the server side components.
Relation to Other Systems
As the HushMail applet relies on the support of the HushMail server, and a HushMail key server, this topic is intimately related to the communication protocol, and ciphers used by the HushMail system. This document will not describe any aspects of the HushMail protocol, or the server side architecture.
Detailed Description
Requirements
In order to use the source code provided by Hush, you will require a Java 1.2 development environment; you should preferably use an integrated development environment, such as VisualAge for Java (available for free at www.ibm.com/vadd). In addition, you should have some knowledge about Java, Java applets, and the configuration details of your Java environment.
Obtaining Source Code
Hush Communications (www.hush.com) has made the source code the HushMail client applet public available for peer review; all versions of the source code can be obtained from the Hush.ai server (www.hush.ai). Choose the latest release of the client source code, and unzip the source code in a location appropriate for your Java development environment.
In addition to the source code provided by Hush, you will require the set of images and properties used to populate text and buttons in the applet; for your convenience, a package of the required files has been made available at www.brendonwilson/projects/hushmail/testenvironment.zip. Unzip this file in the same location as you unzipped the source code files.
Configuring the Client Applets
The HushMail applets rely on
tags in the calling
Dostları ilə paylaş: |