lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 17 Jun 2013 10:45:34 -0400
From: Valdis.Kletnieks@...edu
To: security@...ossecurity.com
Cc: full-disclosure@...ts.grok.org.uk,
 'Defence in Depth' <defenceindepth@...il.com>
Subject: Re: Microsoft Outlook Vulnerability: S/MIME
	Lossof Integrity

On Mon, 17 Jun 2013 15:51:56 +0200, "ACROS Security Lists" said:
>
> Good points, Valdis, but I think we know how to do this right: an
> invalid/untrusted/unmatching certificate is not a cause for user-waivable warning but
> for a fatal you-shall-not-pass error. By allowing users to even go past the warning
> we're nurturing the automation of okaying such warning as well as (I've seen this too
> many times) the development of HTTPS web sites with untrusted certs that ask their
> users to download and install a root CA cert to remove the warning - and do so over
> HTTP.

No, that's how to do it *hardline*.  There's many in the security industry that
will explain to you that it's also doing it *wrong*.  Hint - the first time that
HR sends out a posting about a 3-day window next week to change your insurance
plan without penalty, signs it with something that doesn't match the From:,
and the help desk is deluged by phone calls from employees who can't read the mail,
the guy who put "You shall not pass" in place will be starting a job hunt.

For even more fun, think about the failure modes when an insurance company
blows it while sending to Joe Sixpack's GMail account.  Who's help desk gets
called, and how do they resolve it? Probably the ISP, and the user gets told
"You could just turn off that checking...."

And that's what will happen to your proposal.  Security measures that get
in the way of actual work *will* get turned off.

Case in point: Google for threads discussing problems with SELinux.  98% of them
end with "I couldn't figure out how to make it work, so I just turned it off".
(And the fact that SELinux is hard to

Unless you plan to actually train the users how to fix the problem *correctly*.

Which I'd love to see, actually, since it would be a first in the security industry :)



Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ