oss-sec mailing list archives
Re: When is broken crypto a vulnerability?
From: Chris Palmer <snackypants () gmail com>
Date: Mon, 10 Mar 2014 14:32:21 -0700
On Mon, Mar 10, 2014 at 1:19 PM, Alex Gaynor <alex.gaynor () gmail com> wrote:
When thinking about this issue, I like to refer to: https://glyph.twistedmatrix.com/2005/11/ethics-for-programmers-primum-non.htmlany time the behavior of the program violates the users intent in a way which compromises their security, that's a security issue. To that end, any of a-d, IMO, ought to quality for a CVE, the only acceptable way to expose functionality like this is LegacyObviouslyBrokenZipEncryption.
Strong agree.
Current thread:
- When is broken crypto a vulnerability? Hanno Böck (Mar 10)
- Re: When is broken crypto a vulnerability? Alex Gaynor (Mar 10)
- Re: When is broken crypto a vulnerability? Chris Palmer (Mar 10)
- Re: When is broken crypto a vulnerability? cve-assign (Mar 10)
- Re: When is broken crypto a vulnerability? Hanno Böck (Mar 10)
- Re: Re: When is broken crypto a vulnerability? Chris Palmer (Mar 10)
- Re: When is broken crypto a vulnerability? cve-assign (Mar 10)
- Re: When is broken crypto a vulnerability? cve-assign (Mar 11)
- Re: When is broken crypto a vulnerability? Hanno Böck (Mar 10)
- Re: When is broken crypto a vulnerability? Alex Gaynor (Mar 10)