Bugtraq mailing list archives
Re: (Fwd) Keyservers Cross Site Scripting (When CSS Gets Dangerous)
From: "Michael Young" <mwy-pks55 () the-youngs org>
Date: Mon, 22 Apr 2002 13:45:50 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 From: "Stefan Kelm" <kelm () secorvo de>
This is of particular danger when it comes to keyservers, since the key information itself is usually considered as highly trustworthy.
Absolutely not. Keyservers are wide open public repositories. They can, and do, contain arbitrary garbage. Users should only trust material that they can verify through signatures or direct contact. Moreover, clients should only be generating well-formed URLs for key lookups. What am I missing? -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQA/AwUBPMRMGVMkvpTT8vCGEQKSRQCgi3Uvj/w4wAtFsBzM0Yt+CglxTj0AoNCj vADEMPSTqze3uqdKfLUp3JyT =IXGp -----END PGP SIGNATURE-----
Current thread:
- Re: (Fwd) Keyservers Cross Site Scripting (When CSS Gets Dangerous) Michael Young (Apr 24)