Date: Fri, 16 Jan 2015 00:06:50 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality On Thu, 15 Jan 2015 16:44:39 -0500 Daniel Kahn Gillmor <dkg@...thhorseman.net> wrote: > Is a bit troubling, because it seems to rely on the Subject: line for > necessary context in interpreting the signed message. There's probably no better evidence for the severe usability issues pgp-based mail has than people on a mailing list of IT security specialists explaining each other how to properly use it :-) Having said that: I have a rough kind-of-proposal to fix exactly that problem. I think pgp not encrypting/signing the subject is one of its major usability fails. I'll send my ideas to the gpg dev list soon, will post a link here when done. Let's see if we can at least fix that. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ