lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <75C025AE395F374B81F6416B1D4BDEFB0146C113@mtv-corpmail.microfocus.com>
Date: Fri, 26 Sep 2003 12:11:50 -0700
From: Michael Wojcik <Michael.Wojcik@...rofocus.com>
To: bugtraq@...urityfocus.com
Cc: Bennett Todd <bet@...ul.net>
Subject: RE: base64


> From: Bennett Todd [mailto:bet@...ul.net] 
> Sent: Friday, September 26, 2003 1:08 PM
> 
> For the kind of companies I work in, the very best solution would
> (in my opinion!) be a canonicalizer that was smart enough to hold
> off actually committing any rewrites until it finds something that's
> ambiguous or dangerous, and that leaves notes describing what it did
> and why.

Keep in mind that canonicalization, or any other sort of rewriting, is
considerably more complex than scanning for invalid syntax and rejecting,
and so it's more prone to be fragile and have bugs itself.

I agree, though, that there won't be a universal solution.  For my own
incoming email, I'd prefer a strict filter that rejects (or more likely
quarantines for further study) any messages with invalid Base64 or MIME
syntax.  With the amount of email traffic I get, and the proportion likely
to fall into that category, that's manageable.  But large organizations with
many nontechnical users will obviously have different requirements.

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ