Full Disclosure mailing list archives
Re: Mozilla Thunderbird SMTP down-negotiation weakness
From: Markus Jansson <markus.jansson () gmail com>
Date: Sun, 16 Oct 2005 00:12:27 +0300
Tim wrote:
I agree that this is less than optimal. Could you point me to the bug report you filed in bugzilla that requests these changes?
Here is one, you can follow the links to other ones :) https://bugzilla.mozilla.org/show_bug.cgi?id=154641
It probably isn't that hard. Why don't you write a patch?
I dont have any knowledge of programming.
Honestly though, this stuff is such a miniscule portion of overall security... How many users actually care when websites don't even have valid certificates? Heck, most browsers don't even check for CRLs by default, including IE.
True, but the ones who would like to check, they find that it is impossible. And the ones who are not used to check it, take an example from Opera how to make them check it: It clearly displays the symmetric and asymmetric key sizes in the addresslike/statusline when you are in https connection. Also, it warns if the symmetric keysize is secure, but asymmetric is insecure.
There are many many more, much easier ways to steal someone's sensitive info without attacking the crypto.
Sometimes. But that doesnt mean that obious weakness should not be fixed. Heck, why even bother patching at all, since the "weakest" link is "always" the dumb user who will execute any file you email to them...lets just forget Windowsupdate then, and new versions to Firefox, right? ;)
-- My computer security & privacy related homepage http://www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Mozilla Thunderbird SMTP down-negotiation weakness Thomas Henlich (Oct 14)
- Security Scanners Adriel Desautels (Oct 15)
- <Possible follow-ups>
- Mozilla Thunderbird SMTP down-negotiation weakness Markus Jansson (Oct 14)
- Re: Mozilla Thunderbird SMTP down-negotiation weakness Steve Friedl (Oct 14)
- Re: Mozilla Thunderbird SMTP down-negotiation weakness Tim (Oct 14)
- Re: Mozilla Thunderbird SMTP down-negotiation weakness Markus Jansson (Oct 15)
- Re: Mozilla Thunderbird SMTP down-negotiation weakness Tim (Oct 16)