Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Mar 2014 14:32:21 -0700
From: Chris Palmer <snackypants@...il.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: When is broken crypto a vulnerability?

On Mon, Mar 10, 2014 at 1:19 PM, Alex Gaynor <alex.gaynor@...il.com> wrote:

> When thinking about this issue, I like to refer to:
> https://glyph.twistedmatrix.com/2005/11/ethics-for-programmers-primum-non.htmlany
> time the behavior of the program violates the users intent in a way
> which compromises their security, that's a security issue. To that end, any
> of a-d, IMO, ought to quality for a CVE, the only acceptable way to expose
> functionality like this is LegacyObviouslyBrokenZipEncryption.

Strong agree.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.