Might have been helpful to attach the advisory.
Tim
--
Tim Brown
mailto:t...@nth-dimension.org.uk
http://www.nth-dimension.org.uk/
NDSA20140311.txt.asc
Description: PGP signature
signature.asc
Description: This is a digitally signed message part
been
disclosed by a 3rd party. In light of this and in the absence of any timely
response from BlackBerry, Nth Dimension have opted to make full details
public.
--
Tim Brown
mailto:t...@nth-dimension.org.uk
http://www.nth-dimension.org.uk/
signature.asc
Description: This is a digitally signed
This release includes important security fixes:
- S2-020 - ClassLoader manipulation via request parameters
What is the ultimate impact of this manipulation? Another RCE bug?
tim
___
Full-Disclosure - We believe in it.
Charter: http
an Object (getAnObject in
this example), then they'd still be able to get at the ClassLoader
with your exclusion regex, right? Or am I missing something about
other mitigations you guys have put into place in prior versions?
Thanks,
tim
1. http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork
VDBs, please note that the referenced CVE ID is wrong. CVE-2014-1643 was
actually assigned to this issue by Symantec.
Tim
--
Tim Brown
mailto:t...@65535.com
signature.asc
Description: This is a digitally signed message part.
___
Full-Disclosure - We
and OpenVAS Administrator have also been created which incorporate
these patches.
Thanks
OpenVAS would like to thank Antonio Sanchez Arago for his help in reporting
the vulnerability and apologise to all concerned for the substantial delay
in triaging his report.
--
Tim Brown
mailto:t...@openvas.org
, but you can start with the
above steps (which immediately improves security), and then slowly
transition to using scrypt alone or some variant that supports longer
passwords.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk
a patch which it is believed
successfully resolves the reported issue.
Thanks
Nth Dimension would like to thank all the security folk at RIM, in
particular the BlackBerry Incident Response team for the way they worked
to resolve the issue.
--
Tim Brown
mailto:t...@nth-dimension.org.uk
http://www.nth
releases of both 3.0.x
and 4.0.x have also been created which incorporate this patch.
Thanks
OpenVAS would like to thank Andre Heinecke of Greenbone Networks for
his help in reporting the vulnerability.
--
Tim Brown
mailto:timb@openvas,org
http://www.openvas.org/
OpenVAS Security Advisory
and a user on Talk are open to man in the
middle attacks even without the cooperation of Google.
Tim
PS I am aware of discussions on various XMPP lists around this issue, but
noone seems to have come up with a satisfactory answer.
--
Tim Brown
mailto:t...@nth-dimension.org.uk
http://www.nth
Hi Adam,
Based on the details released so far about the exploit in the wild,
how likely do you think it is that your research may have been leaked?
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure
for this application. We
need something better.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Precisely.
tim
On Fri, Jul 13, 2012 at 11:24:37AM -0700, Gage Bystrom wrote:
Well if I understand Tim correctly you wouldn't need a CA. In the attack he
mentioned not once do you ever actually look at the ssl content. He's
talking about redirecting them to plain http and then setting
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
evaluate if you've installed or not and wp_die() if you
have.
Tim
--
Tim Brown
mailto:t...@65535.com
signature.asc
Description: This is a digitally signed message part.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
be available to determine what the
vulnerability is that they exploited, but you've certainly made it a
lot harder to isolate the event.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted
For future reference, and for the benefit of people searching for
solutions to similar problems: You've made the most common rookie
mistake. You have already trashed potentially critical information
about the attack by trying to clean up the server first. Don't do
that.
Tim, while I
within a running system though, I would
recommend against it.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 20-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 20-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 20-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-25
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
-dimension.org.uk/downloads.php?id=80 - Generic attack on
the QNX runtime linker which abuses an arbitrary file overwrite and race
condition to get root.
CVE-2011-4060.
Cheers,
Tim
--
Tim Brown
mailto:t...@nth-dimension.org.uk
http://www.nth-dimension.org.uk/
signature.asc
Description
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
this does not allow
the wrong file to be overwritten, after closing the default view, Ark will then
attempt to delete the temporary file which could result in the deletion of
the incorrect file.
After discussions with the vendor, CVE-2011-2725 was assigned to this
vulnerability.
Tim
--
Tim Brown
How do you unsubscribe from this list, i have already been to the site
and entered my details and got the link and clicked on it, yet i am
still getting email!
On 03/10/11 16:27, Rove Monteux wrote:
I was just about to ask the same, how old are yous, 13 or something ?
Dne 3.10.2011 17:16,
plaintext can be crafted.
Ok, sure, that seems pretty painful (storage/protection of pad, etc).
I guess the only other technical solution would be steganography.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure
.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Tim, I actually use TruCrypt now to do exactly what you speak of. I
pre-allocate a fixed virtual disk, and use one passcode for one section of
data and a different passcode for a different section of data. It is
impossible to determine if the disk is set up in this manner
the whole disk's size,
more or less, then they'll know something is missing. How does
TruCrypt prevent that? Seems to be very difficult, but maybe you can
enlighten me on that.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full
.
Then again, many investigators are not determined. Keep the partition
small, put it inside another encrypted partition, maybe they'll miss
it.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
the machine under a debugger to see what is really going on to
discover how much data should be left and where it should reside.
I agree with Thor though, if done carefully there are several ways to
argue that's not mine or I forgot the password or something
similar.
tim
compelled to give up keys?
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
though.
Someone pointed this out to me off-list:
http://www.truecrypt.org/docs/?s=hidden-volume-protection
So TruCrypt can be configured to allow the trashing of your hidden
volume, eliminating the information leak that I believed must exist.
They've thought this through quite well.
tim
, there's just *so* much to do. ;-)
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
to influence it, then you would have a more solid
RCE vector.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
to get root.
The paper is still a work in progress but both DB2 and QNX are available for
download if you want to take them for a spin. Anyway, enjoy!
Tim
--
Tim Brown
mailto:t...@nth-dimension.org.uk
http://www.nth-dimension.org.uk/
signature.asc
Description: This is a digitally signed
On Tuesday 12 April 2011 03:36:24 Vincent Danen wrote:
* [2011-04-11 22:07:24 +0100] Tim Brown wrote:
I was recently taking a look at Konquerer and spotted an example of
universal XSS. Essentially, the error page displayed when a requested
URL is not available includes said URL. If said URL
considerations.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
I was recently taking a look at Konquerer and spotted an example of universal
XSS. Essentially, the error page displayed when a requested URL is not
available includes said URL. If said URL includes HTML fragments these will
be rendered. CVE-2010-2952 has been assigned to this issue.
Tim
. They could be, but be careful with your accusations.
HTH,
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
, then XOR away the plaintext from the ciphertext to get your
keystream for each. If you see duplication across key streams, then
you might be looking at a bad hack or use of a cipher which reuses the
same IV for each email address, which is also a big no-no.
HTH,
tim
-Zip in a Commercial Application?
Yes, but you are required to specify in your documentation (1) that
you used parts of the 7-Zip program, (2) that 7-Zip is licensed under
the GNU LGPL license and (3) you must give a link to www.7-zip.org,
where the source code can be found.
tim
Affected products:
-
Trixbox CE 2.8.0.4 and below
Trixbox CE 2.6.2.3 and below
--
Details:
--
Trixbox CE, an Asterisk and FreePBX based system ships with undocumented web
admin.
The admin web interface can be accessed by user wwwadmin which grants full
of an arbitrary
file. Moreover the technique by which this can be achieved can be triggered
even where the binary being executed is setUID and is running as another user.
Tim
--
Tim Brown
mailto:t...@nth-dimension.org.uk
http://www.nth-dimension.org.uk/
NDSA20110310.txt.asc
Description: PGP signature
If I have
set smtp_url = smtps://tes...@lola.com:587
set ssl_starttls = yes
set ssl_force_tls = yes
mutt is unable to connect.
In this case, shouldn't you disable ssl_starttls ?
tim
___
Full-Disclosure - We believe in it.
Charter: http
As port 587 is for port for TLS/STARTTLS and port 465 is for ssl if I
am not mistaken.
Please do point out if I have gotten this completely incorrect.
Nope, you're right, it looks like I got the two mixed up.
Good catch on the lack of certificate validation.
tim
the difference is a key skill for
security professionals of any kind.
cheers,
tim
* To put it another way, the function which describes security return on
investment, as one grows investment from 0 to infinity is sometimes
continuous and sometimes discontinuous (stair-stepped), or a mix
for yourself.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
, you'll come to understand the solid arguments
several of us are making.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
to thank Ronald Kingma and Alexander van Eee of ISSX for
their help in reporting the vulnerability.
--
Tim Brown
mailto:t...@openvas.org
http://www.openvas.org/
OpenVAS Security Advisory (OVSA20110118)
Date: 18th January 2011
Product: OpenVAS Manager = 1.0.3 and 2.0rc2
Vendor: OpenVAS http
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201101-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201101-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
. Yes, the EULAs all say you
can't do this, but in reality there's always a leverage point one way
or another.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201101-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201101-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
often, or you
can't trust that the patches won't break your environment, then you
probably need to find a software vendor that invests more in QA.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201101-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - -
to decrypt these
so you would end up only ever being able to use firefox on the machine
and nothing else every again.
personally I would not touch this with a barge pole and I would do a lot
more more digging and checking into this.
regards
Tim
On 08/12/10 11:12, mrx wrote:
Hi list,
Is anyone
process. You don't
need to do anything special with code signing. Just check for
updates via HTTPS URLs and require that verification checks out.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
the form if they’re MitMing and trick the user into
sending plaintext.
Yeah, these kinds of protocols must be baked into the browser.
Whether that be through an add-on or native, it needs to be
distributed a priori. Don't bother with JavaScript.
tim
, but before
you propose alternative solutions, do the research and see what's
already out there. If you like what's already out there, then
aid it's development/deployment and advocate it's usage. It's easy to
develop a new crypto protocol. It's really hard to get people to use
it.
tim
.
Tim
--
Tim Brown
mailto:t...@nth-dimension.org.uk
http://www.nth-dimension.org.uk/
signature.asc
Description: This is a digitally signed message part.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Amen. This is why we should use and support web of trust style systems.
Webs of trust could definitely make SSL's PKI more fault tolerant.
The hard part is figuring out how to make it work while users don't
have to put forth any additional effort. Thoughts?
tim
scales much better.
The core difference between the two is that the number of unique keys
needed to carry on private converstations in a group of entities grows
O(n^2) with symmetric keys and O(n) with public keys. I'm sure you
realize this though.
tim
because the programmer didn't understand
the Python scoping rules. (At least that's what I gather from the bug
report alone; didn't look at the rest of the code.)
I'm really not sure how any of this is security related.
tim
___
Full-Disclosure - We
been defined. It's worth checking for this kind of thing in scripts
that may be run via sudo/su when auditing hosts. I don't believe it's a
vulnerability per se, but particular instances of broken scripts may well be.
Tim
--
Tim Brown
mailto:t...@nth-dimension.org.uk
http://www.nth
from the original user. The script sets the dangerous path, but
since sudo hasn't changed the CWD it points at the directory the user running
sudo was in.
Tim
--
Tim Brown
mailto:t...@65535.com
signature.asc
Description: This is a digitally signed message part
I've identified that that Rekonq versions up to and including 0.5 were
vulnerable to universal XSS affecting the error page. CVE-2010-2536 was
assigned for this vulnerability.
Cheers,
Tim
--
Tim Brown
mailto:t...@nth-dimension.org.uk
http://www.nth-dimension.org.uk/
NDSA20100810.txt.asc
in that the administrative
interface can be disabled, I'm not convinced that making a C compiler
available over a network interface without authentication is sound practice,
especially when the resultant compiled code can be made to run as root rather
trivially.
Tim
--
Tim Brown
mailto:t...@nth
, an attacker probably doesn't need to make the distinction
anyway.
Tim
--
Tim Brown
mailto:t...@nth-dimension.org.uk
http://www.nth-dimension.org.uk/
signature.asc
Description: This is a digitally signed message part.
___
Full-Disclosure - We believe
-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
It does not work,
it's just a counter : - )
System: German XP Pro Sp3, IE8
with kind regards,
Tim Kunschke
___
Full-Disclosure - We believe in it.
Charter: http
, though not
fully fool proof, can't work.
Hi RandallM,
The answer is: Once you're infected, you shouldn't be trying to clean
things. Reinstall.
Need files off of that box first? Mount the drive under another OS,
or better yet, use the sleuthkit to get them off.
cheers,
tim
of the issue.
Secunia: Please fix your listing. CSRF is still an issue in the admin
area, but the bigger (separate) issue is a complete authentication
bypass in a badly designed /admin/ area.
tim
___
Full-Disclosure - We believe in it.
Charter: http
of extremely critical, not mine).
Agreed.
Happy Friday 13th... ;)
=) Have a good one,
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
If there's really a Moxie Marlinspike fan club [1], I'm definitely a member..
Attached is one of the null-prefix certificates [2] that he distributed during
his intercepting secure communication training at Black Hat. This one's for
www.paypal.com, and since the Microsoft crypto api appears
at any real-world crypto protocols that
use public keys for authentication? They pretty much all use
symmetric ciphers for encryption after agreeing on a session key, so
this isn't unusual. As another poster mentioned, the primary reason
for this is performance.
tim
Hi,
I've identified a couple of security flaws affecting the NullLogic Groupware
which may allow compromise of accounts, denial of service or even remote code
execution. These issues were reported by email to the developer but no
response was forthcoming.
Tim
--
Tim Brown
mailto:t...@nth
Hi,
I've identified a couple of security flaws affecting the TekRADIUS radius
server for Windows which may allow privilege escalation. These issues were
reported by email to the vendor and have I believe been resolved.
Tim
--
Tim Brown
mailto:t...@nth-dimension.org.uk
http://www.nth
sending data plain text. It's not that
I approve of the current SSL PKI regime, but it's still better than
none.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia
conceive of
some hypothetical radio broadcast or other physical media which, if
carefully designed, could make MitM attacks difficult by virtue of the
media itself (along the lines of a poor man's quantum crypto line), but
I don't know of any in use. Do enlighten me if you do.
cheers,
tim
to rely on the CA gods in the sky to do it
for them. Still not perfect, but better than the current state of
things.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored
to write and release it.
By implying to non-security types that there is some kind of tangible
difference in the security between plain text and non-authenticated SSL
is a great disservice. Yeah, to the layman it sounds like there ought
to be a difference, but there isn't.
tim
EOL
and redistribute.
Some crazy ideas, I know. Feel free to shred them.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
think it's on topic for the list. I'll change the subject next time I
post on the matter if it makes you feel better (or even if it doesn't).
tim
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
trolling.
tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
Is there any chance it would be feasible to get a list of all the weak keys
that were actually certified by browser-installed CAs, or those weak
certificates? Presumably, this list would be much smaller and would be more
effectively distributed in Bloom filter form.
- Tim
actually certified by browser-installed CAs, or those
weak certificates? Presumably, this list would be much smaller and
would be more effectively distributed in Bloom filter form.
- Tim
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk
to german law I'm probably not allowed to
post this link)
http://www.google.com/search?q=xssshell
Cheers,
Tim
--
Tim Brown
mailto:[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
1 - 100 of 209 matches
Mail list logo