For those who missed it: Hushmail is pwnd
Sarad AV
jtrjtrjtr2001 at yahoo.com
Fri Nov 9 10:03:11 PST 2007
Now, how do we know which key distribution authority
and which certifying authority to trust? Isn't this
going to be a problem? Trust doesn't seen to work as
well as it used to.
Sarad.
--- Dave Howe <DaveHowe at gmx.co.uk> wrote:
> J.A. Terranson wrote:
> > I am shocked that Hush appears to have been in a
> position to have provided
> > the requesting authority with actual *content* of
> a Hush user account: my
> > prior belief was that this was non-possible. The
> pwnage of this alone is
> > staggering in scope if correct. Anyone from Hush
> care to entertain us
> > with an explanation of why this interpretation is
> incorrect?
>
> I suspect given the circumstances (i.e. using
> hushmail as an smtp
> endpoint for web orders) a large proportion of the
> mail will be normal
> unencrypted SMTP rather than hush2hush traffic or
> conventionally openpgp
> encrypted from outside the system (I have extracted
> keys for
> conventional crypto on occasion from the hushmail
> web interface, but
> doing so on a regular basis is like pulling teeth)
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the Testlist
mailing list