Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20150116000650.6b0f3a05@pc>
Date: Fri, 16 Jan 2015 00:06:50 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-Request -- CMS b2evolution v.5.2.0 --
 Reflecting XSS vulnerability in filemanager functionality

On Thu, 15 Jan 2015 16:44:39 -0500
Daniel Kahn Gillmor <dkg@...thhorseman.net> wrote:

> Is a bit troubling, because it seems to rely on the Subject: line for
> necessary context in interpreting the signed message.

There's probably no better evidence for the severe usability issues
pgp-based mail has than people on a mailing list of IT security
specialists explaining each other how to properly use it :-)

Having said that: I have a rough kind-of-proposal to fix exactly that
problem. I think pgp not encrypting/signing the subject is one of its
major usability fails.
I'll send my ideas to the gpg dev list soon, will post a link here when
done. Let's see if we can at least fix that.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.