Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Jan 2015 00:06:50 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-Request -- CMS b2evolution v.5.2.0 --
 Reflecting XSS vulnerability in filemanager functionality

On Thu, 15 Jan 2015 16:44:39 -0500
Daniel Kahn Gillmor <dkg@...thhorseman.net> wrote:

> Is a bit troubling, because it seems to rely on the Subject: line for
> necessary context in interpreting the signed message.

There's probably no better evidence for the severe usability issues
pgp-based mail has than people on a mailing list of IT security
specialists explaining each other how to properly use it :-)

Having said that: I have a rough kind-of-proposal to fix exactly that
problem. I think pgp not encrypting/signing the subject is one of its
major usability fails.
I'll send my ideas to the gpg dev list soon, will post a link here when
done. Let's see if we can at least fix that.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ