lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200309241955.PAA17039@Sparkle.Rodents.Montreal.QC.CA>
Date: Wed, 24 Sep 2003 15:45:23 -0400 (EDT)
From: der Mouse <mouse@...ents.Montreal.QC.CA>
To: Mark Coleman <markc@...ontown.com>, <BUGTRAQ@...urityfocus.com>,
	incidents@...urityfocus.org
Subject: Re: Privacy leak in VeriSign's SiteFinder service #2


> Verisign does NOT reject the connection until AFTER the MAIL FROM:
> and RCPT TO: fields have been communicated by your email server.

The "server" they had completely ignored, as far as anyone could tell,
all input: you could type total garbage lines and get exactly the same
canned sequence of responses.

Note the past tense.  Now, when I connect there, I get a 521
"greeting", from some host that apparently believes it lives in a new
TLD .11 (apparently not content with inventing new .com and .net names,
they've now invented a whole new TLD - at least this one they didn't
actually put in the DNS):

% telnet yyaahhoooo.com 25
Trying 64.94.110.11...
Connected to yyaahhoooo.com.
Escape character is '^]'.
521 64.94.110.11 Recipient domain does not exist
Connection closed by foreign host.

> They could (AND SHOULD) REJECT from the initial connection,

Actually, the wildcard shouldn't have been inserted in the first place;
when it was, .com and .net should have been immediately handed over to
a more ethical custodian.  But Verisign doesn't seem willing to remove
the wildcard on their own (hardly surprising), and ICANN appears
unwilling to do more than scold (depressing, but not really surprising).

> Bad, verisign.  Very bad.

Well, yes, but we knew _that_ from the day the wildcard went in.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@...ents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ