lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200411262321.iAQNLo1X016006@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Mailing lists and unsolicited/malicious spam 

On Fri, 26 Nov 2004 16:51:27 GMT, n3td3v said:

> I was thinking, why are all e-mail addresses not encrypted as soon as
> they leave the authors mail client, surely this would stop anyone
> seeing the address, apart from the mail client at the other end the
> message was intended for. And when a user mails a mailing list the
> e-mail address could be read by the mailing list software, but stays
> encrypted for the broadcast out to the subscribers of the list.

The biggest problem here is that "reply" breaks.

The less obvious problem is that you are implying a way for the mailing
list software to decrypt the address, but *not* allow a spammer to decrypt
the address.  The only obvious solution for *that* is to encrypt to the
public key of the mailing list (forget a "shared secret" scheme, that won't
scale at all).  This however implies that your MUA knows about the public
keys for all lists you post to (which also means that you can't send e-mail
from a internet cafe or any machine that doesn't know what lists you are on).

An even less obvious problem is that you lose all cross-list identity - perhaps
'n3d3v' only posts to F-D, but I post to a number of lists, and a large number
of people read my postings on multiple lists.  As such, things like "Oh, he's
the guy who posts clued stuff on NANOG" or "Oh, that's Harlan Carvey, he has a
clue over on that other list" are difficult to correlate across lists....

(It cuts both ways - it also means that you have to re-learn that a given user
is a total idiot over and over, once for each list, rendering kill files much
less useful...)

I'm sure if I think some more, I'll spot some more problems.. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041126/b53a9969/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ