lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4BE9238C-08A2-11D9-9E02-000D935143FC@sarenet.es>
Date: Fri, 17 Sep 2004 14:08:33 +0200
From: Borja Marcos <borjam@...enet.es>
To: David Covin <dcovin@....mgh.harvard.edu>
Cc: bugtraq@...urityfocus.com
Subject: Re: Corsaire Security Advisory - Multiple vendor MIME RFC2047 encoding issue


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> 2. Your logic sounds convincing, but interposing a proxy that
> systematically changes incoming messages raises red flags in my mind.

	Digital signatures would not work, obviously.

	However, which is the reason to keep a malformed message? It's like 
the stupid thing antivirus software does, "cleaning" infected messages 
which have obviously *not* sent by the computer's owner. In the case of 
the Sircam virus, AV software failed catastrophically, not discarding 
thousands of messages with confidential documents sent without the 
knowledge of their owners, not to talk about the extremely useful 
notifications sent by those amazingly clever pieces of cr... errr, 
software.

	If someone builds faulty software which generates bad MIME headers, 
such messages should be treated as hostile messages and dropped. 
Period. What happened when Microsoft tried to make Windows 
"intelligent" so that an executable "wrongly" labelled with an audio 
MIME type it would be correctly "opened" (I mean, executed)?

	By trying to make poor programmers' life easier, we make our own lives 
harder. So, the only secure way to deal with a corrupt message is to 
drop it. Period.



	Borja.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBStPEULpVo4XWgJ8RAiAYAKCU/iZrJdYW/j4OafV8VRwVZGKT8gCdHmhv
AFNM8MrITjWR1d7HaXajcJo=
=iVnR
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ