| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <75C025AE395F374B81F6416B1D4BDEFB0146C113@mtv-corpmail.microfocus.com> Date: Fri, 26 Sep 2003 12:11:50 -0700 From: Michael Wojcik <Michael.Wojcik@...rofocus.com> To: bugtraq@...urityfocus.com Cc: Bennett Todd <bet@...ul.net> Subject: RE: base64 > From: Bennett Todd [mailto:bet@...ul.net] > Sent: Friday, September 26, 2003 1:08 PM > > For the kind of companies I work in, the very best solution would > (in my opinion!) be a canonicalizer that was smart enough to hold > off actually committing any rewrites until it finds something that's > ambiguous or dangerous, and that leaves notes describing what it did > and why. Keep in mind that canonicalization, or any other sort of rewriting, is considerably more complex than scanning for invalid syntax and rejecting, and so it's more prone to be fragile and have bugs itself. I agree, though, that there won't be a universal solution. For my own incoming email, I'd prefer a strict filter that rejects (or more likely quarantines for further study) any messages with invalid Base64 or MIME syntax. With the amount of email traffic I get, and the proportion likely to fall into that category, that's manageable. But large organizations with many nontechnical users will obviously have different requirements. -- Michael Wojcik Principal Software Systems Developer, Micro Focus
Powered by blists - more mailing lists