Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Smells like a phish, is a fish?

from [Lyal Collins] Network Security [Permanent Link]
Subject: RE: Smells like a phish, is a fish?
Date: Mon, 31 Oct 2005 22:32:25 +1100 
Inline as  [LC]

-----Original Message-----
From: Devdas Bhagat [mailto:devdas@dvb.homelinux.org] 
Sent: Monday, 31 October 2005 4:47 AM
To: webappsec@securityfocus.com
Subject: Re: Smells like a phish, is a fish?


On 29/10/05 16:22 +1000, Lyal Collins wrote:

We are moving off topic slightly, but I disagree, and agree.
There is a bigger general problem caused by encrypting email in virtually
every PKI mechanism.
1. Virus and spam control measures fail.


Spam is not about content, even if there are misguided attempts at filtering
based on content. Spam is about consent, and the rejection can safely be
done at the edge.

[LC]
The point is that S/MIME and PGP mail can't be inspected at the email
gateway on the network edge - its encrypted desktop to desktop.
So the only place to manage viruses and spam is at the desktop, a failed
strategy today and in the past.

Lyal


2. Corporate access to the content in email is at the discretion of 
the individual, not the corporate entity. This breaks many corporate 
laws, and helps IP thft etc.

Signing email does not have these issues, but what's the point of the 
cost to do that (cert cost, support overheads et al) and not protect 
the message content from misuse?

There are better email authentication and confidentiality solutions 
that PKI-based ones.


Such as? Put it on a website and expect things to be collected later? Mail
2000?

Devdas Bhagat
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: J2EE Application Security Code Review, Dean H. Saxe
Previous by Thread:  Re: Smells like a phish, is a fish?, Devdas Bhagat
Next by Thread:  [Full-disclosure] Multiple vulnerabilities within RockLiffe MailSite Express WebMail, Paul Craig
Indexes:  [Date] [Thread] [Top] [All Lists]