On Fri, Oct 20, 2017 at 10:58 AM, Jeroen Demeyer <jdeme...@cage.ugent.be> wrote: > On 2017-10-19 20:07, Luca De Feo wrote: >> >> There you go for something crippled! https://shattered.io/ > > > I don't think that this is actually relevant. This attack would only work if > an attacker is able to provide a specially manufactured source tarball and > get it accepted by SageMath. At that point, the attacker could instead just > insert arbitrary code in the source tarball.
That's not true. The whole point is that HTTP is ridiculously easy to hijack, so an attacker need not get anything accepted by Sage. It's an unlikely attack vector to be sure, but not impossible. -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
