lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Oct 2008 23:17:16 -0300 From: M.B.Jr. <marcio.barbado@...il.com> To: "Full-Disclosure mailing list" <full-disclosure@...ts.grok.org.uk>, "4a Delegacia de Meios Eletronicos do DEIC" <4dpdig.deic@...iciacivil.sp.gov.br>, "Cert. br" <cert@...t.br>, info@...amail.com.br, comercial@...aweb.com.br, schneier@...neier.com Cc: "Policia Federal, denuncias" <dcs@....gov.br> Subject: Brazil's weirdest infosec aspects: "your private key is officially theirs" Greetings, Locaweb is the name of the most prominent web hosting organization in Brazil. It was founded in 1998 and hosts more than 260 thousand domains today, according to its main website: http://www.locaweb.com.br/ Unfortunately, not big enough to respect its customers. Locaweb seems to be confusing two concepts, the so called "cloud computing" and "privacy". This is about its e-mail outsourcing service, named Locamail, which offers a web based access option, with lots of features. Some are useful. One of them though, acts really strangely. It's this key generation capable, weird PGP module. The target of this text. The whole thing is simple to depict: by the time one generates a key pair, surprise! One only receives a public key. And as if not automatically providing its customers with their private keys wasn't enough, if some of them happen to formally request their account's private keys, Locaweb denies them, that is to say, one can always use "its" web based private key for decrypting received messages or signing his mail, but that key belongs to Locaweb. One cannot read the private key he uses. Such a horrifying situation clearly poses as a threat to Locaweb's customers privacy. Thinking sensibly, there's no scenario in which a "Private-Key-as-a-Service" model would be welcome. Yours faithfully, -- Marcio Barbado, Jr. "In fact, companies that innovate on top of open standards are advantaged because resources are freed up for higher-value work and because market opportunities expand as the standards proliferate." Scott Handy Vice President Worldwide Linux and Open Source, IBM Esta mensagem e qualquer arquivo nela contido é confidencial. "Pratica crime de violação de telecomunicações quem, transgredindo lei ou regulamento, exiba autógrafo ou qualquer documento ou arquivo, divulgue ou comunique, informe ou capte, transmita a outrem ou utilize o conteúdo, resumo, significado, interpretação, indicação ou efeito de qualquer comunicação dirigida a terceiro." (Artigo 56 da Lei n.º 4.117 de 27 de agosto de 1962, aplicável aos crimes em telecomunicações, nos termos do art. 215, I, da Lei 9.472/97). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists