On 2013-04-23 20:06:10 -0500, Derek Martin wrote: > Cute, but DoS is not the only vector as you well know. Using the > message store or any part of the message store is not a workable > solution. It's (in general) data from an untrusted source and must be > treated as such. In particular, untrusted data must not be used as a > source of input of any sort for functions used to secure the system. > Doing so creates a potential attack vector.
I disagree. The entropy is typically created from untrusted data. Note that message headers generally contain random data from different machines; you can also combine them with other data such as the time when the attachment is read, muttrc data (if the user has defined aliases, they are probably private), and so on. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <http://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
