lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <435170BB.3030300@gmail.com>
Date: Sun Oct 16 06:04:05 2005
From: markus.jansson at gmail.com (Markus Jansson)
Subject: Mozilla Thunderbird SMTP down-negotiation
	weakness

Tim wrote:
> I agree that this is less than optimal.  Could you point me to the bug
> report you filed in bugzilla that requests these changes?

Here is one, you can follow the links to other ones :)
https://bugzilla.mozilla.org/show_bug.cgi?id=154641


> It probably isn't that hard.  Why don't you write a patch? 

I dont have any knowledge of programming.


> Honestly though, this stuff is such a miniscule portion of overall
> security...  How many users actually care when websites don't even have
> valid certificates?  Heck, most browsers don't even check for CRLs by
> default, including IE.

True, but the ones who would like to check, they find that it is 
impossible. And the ones who are not used to check it, take an example 
from Opera how to make them check it: It clearly displays the symmetric 
and asymmetric key sizes in the addresslike/statusline when you are in 
https connection. Also, it warns if the symmetric keysize is secure, but 
asymmetric is insecure.


> There are many many more, much easier ways to steal someone's sensitive
> info without attacking the crypto.

Sometimes. But that doesnt mean that obious weakness should not be 
fixed. Heck, why even bother patching at all, since the "weakest" link 
is "always" the dumb user who will execute any file you email to 
them...lets just forget Windowsupdate then, and new versions to Firefox, 
right? ;)


-- 
???My computer security & privacy related homepage
http://www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email
before sending it to me to protect our privacy.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ