Date: Tue, 11 Mar 2014 02:15:25 -0400 (EDT) From: cve-assign@...re.org To: snackypants@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: When is broken crypto a vulnerability? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > We know that people want (at least) data confidentiality when they opt > to use an "encryption" feature. Actually, there are multiple contexts in which people use the ZIP encryption feature when they're not looking for confidentiality. Here's a sample help page from a university IT department: https://wiki.csuchico.edu/confluence/display/help/Blocked+E-mail+Attachments+File+Types Our filters are unable to scan files within a password protected .zip archive. When the filters encounter a protected .zip file, a warning message is appended to the original message and is passed through with the attachment in tact. If you need to send or receive a file type on the blocked list, you can protect the .zip file with a password and supply the password in your message in order for your recipient to open the file. If you need to receive one of these files, you can forward instructions for your sender to do the same. Because the password is included in the message, this is obviously not a solution to address confidentiality. (In general, some mail systems intentionally allow encrypted ZIP files for this functionality reason. Some mail systems intentionally block encrypted ZIP files because they are, on the whole, more likely to be malicious than unencrypted ones.) Other references about essentially the same approach: http://support.liquidfiles.net/entries/24165389-Frequent-Responses-after-security-reviews "If you block say .exe files ... if someone really wants to send the file, they can in almost all cases just zip the file instead in an encrypted zip file we couldn't scan" http://www.zimbra.com/forums/administrators/42794-solved-allow-banned-content-encrypted-zip.html "Our organization needs to be able to send and receive otherwise banned content (exe,bat,dll, etc...) via a password encrypted ZIP archive." We previously mentioned the use case of sending virus samples to anti-virus vendors. This still occurs and was discussed in some blogs last month: http://www.ghettoforensics.com/2014/02/google-actively-scanning-malware-emails.html http://grahamcluley.com/2014/02/shouldnt-gmail-zip-files-password-infected/ Again, the password is well known, and thus the goal isn't confidentiality. Some major vendors recommend or support this, e.g., http://www.mcafee.com/us/threat-center/resources/how-to-submit-sample.aspx http://forum.kaspersky.com/lofiversion/index.php/t280764.html https://ers.trendmicro.com/guide/en_us/AG/Help/Sending_Suspicious_Files_to_Trend_Micro.htm - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTHqkWAAoJEKllVAevmvmswRIIALJd/mBpEKMQ9vCetaKfDNTC kqRgUTSTW0ACQRCVROrlW2An18yU3u4qkRUl6IFCE8qFb95db06WyVdTlpvlY7CJ HeXRT9NL5N2+coaOZoPIx2PzZ4qB5M+7oaWXNk7NesQW9k3ysjiy7rmN2K7gzsB3 2z6FD0nEgnMqjuMv2kEgq6Xv0Fme2W3T37A9HLTy7O5XTh2Tn3NHLCX28pzQ0mDl Xd9C9YZRojCvQC69Xv7opdh9cOxJgybu89KMTctFdvyPJj8rGAZrLrq95ou/vWzx Ps0A9LUTDL+Za2+GDAdWRVZ2m/tQUUnQ/j49+iJH4KUh4hEEknAQUtrJBpArvrk= =NYwQ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ