| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dufresne at winternet.com (Ron DuFresne) Subject: [LONG] Improving E-mail security... Might as well tackle ftp then also. Isn't postfix supposed to have been such an attempt as to provide something smaller, and more stable then sendmail? Although not a rewrite of SMTP perse... Thanks, Ron DuFresne On Tue, 26 Aug 2003, lceone@...cast.net wrote: > Bengt Ruusunen wrote: > > - E-mail receiving server could check that 'very first original' From: > > line and if it is same than the receiver address ie. 'someone@...eone.com' > > > > Perform an check to see if the 'sender identification' ie. salted public > > key, GUID or something (X-Authenticated-Guid: #0a845d299ca340087140) > > exists in mail header. > > Sort of like a required, server based, pgp check? > > <OPINION> > I think it's just about time that we stop patching over this dinosaur > protocol that we call SMTP (RFC 821 from *August 1982*). This protocol > was originally designed to send text messages from one machine to > another back in the "Good Ol' Days" when the internet was safe because > it existed at two schools and a government institution. > > Then as the years went on, the protocol became inadequate. e.g. it only > allowed for a message to use the 128 ASCII character codes. So instead > of re-evaluating and rewriting the protocol, we've patched it. We added > MIME, because that made it easier to send each other HTML formatted > email and pictures of our cats. We added PGP, but not frequently or in > a consistent manner. We added pretty features, but we've neglected any > security that should have been added, or problems fixed (feature bloat > anyone?). > > But you cant do that. You cant build a big house on a small foundation > or it will crumble. Today's *constant* problems/viruses/spam/etc is the > crumble showing itself. It will only get worse from here. Seriously, > we shouldn't have to think twice about simply viewing an email for fear > of self-executing viruses. That should not be an option. > > <SEMI-FACTUAL BABBLING> > About spam. This problem, I think, mainly arises from the fact that the > spamming server can connect to domain.com, transmit one copy of the spam > email, and send it to 100,000 users, from anyone, to anyone, no > questions asked. This puts a huge load on the receiving server, and > comparably minimal load on the sending server (depending on message > size). If the protocol was rewritten to allow only "one for one" > sending, maybe this would slow them down? I dunno, just a thought. > Oh! And *maybe* we could make relaying OFF by default! Wacky ideas. > </SEMI-FACTUAL BABBLING> > > So maybe it would be in the best interest of the internet community if > someone stopped and took a look at what the requirements for a good > communications protocol to replace email would be, and tried to put one > together from the ground up. Security, features, and all. Heck, if I > can get a group together, I'll take a crack at the darn thing myself. > But I don't claim to be any sort of expert on anything (except maybe the > semi-factual babbling), so I'd need a good group. > </OPINION> > > Just my $0.10 > > -Larry Engleman > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists