lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALKmEuCtNgaReSNBm9jSsBjnrH+pb-h1gaPcnVfvFKwrkRkZSg@mail.gmail.com>
Date: Mon, 17 Jun 2013 20:49:50 +0200
From: Daniël W. Crompton <daniel.crompton@...il.com>
To: noloader@...il.com
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>,
security@...ossecurity.com
Subject: Re: Microsoft Outlook Vulnerability: S/MIMELossof
Integrity
Jeff,
how would that work? AKAIK S/MIME is public key cryptography, how would you
decrypt a message which is not encrypted with your public key?
D.
On 17 June 2013 20:17, Jeffrey Walton <noloader@...il.com> wrote:
> On Mon, Jun 17, 2013 at 11:19 AM, ACROS Security Lists <lists@...os.si>
> wrote:
> > Valdis,
> >
> >> No, that's how to do it *hardline*. There's many in the
> >> security industry that will explain to you that it's also
> >> doing it *wrong*. Hint - the first time that HR sends out a
> >> posting about a 3-day window next week to change your
> >> insurance plan without penalty, signs it with something that
> >> doesn't match the From:, and the help desk is deluged by
> >> phone calls from employees who can't read the mail, the guy
> >> who put "You shall not pass" in place will be starting a job hunt.
> >
> > If there was an industry standard specifying the you-shall-not-pass for
> all web
> > browsers, it wouldn't be the guy (developer) who put this roadblock in
> place that
> > would start a job hunt but someone within the company whose job was to
> avoid the
> > roadblock by making sure the cert that HR is using was okay. That would
> happen a
> > couple of times, and then not any more, as people have great capacity
> for learning.
> >
> > ....
> > ... If I get an encrypted
> > message that was mistakenly not encrypted with my key, it would be very
> productive to
> > have a "Just decrypt anyway" button but we obviously don't have that. ...
> A lot of folks would like to have that button ;)
>
> Jeff
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
blaze your trail
--
Daniël W. Crompton <daniel.crompton@...il.com>
<http://specialbrands.net/>
<http://specialbrands.net/>
http://specialbrands.net/
<http://twitter.com/webhat>
<http://www.facebook.com/webhat><http://plancast.com/webhat><http://www.linkedin.com/in/redhat>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists