Re: tmda: Challenge-response is fundamentally broken

To: debian-devel@lists.debian.org
Subject: Re: tmda: Challenge-response is fundamentally broken
From: Mark Brown <broonie@sirena.org.uk>
Date: Wed, 27 Aug 2003 13:32:15 +0100
Message-id: <[🔎] 20030827123215.GA14706@projectcolo.org.uk>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] uiuy8xftjtb.fsf@echo.linpro.no>
References: <[🔎] uiun0dv1n94.fsf@echo.linpro.no> <[🔎] 20030827104434.GA25552@pol.ac.uk> <[🔎] uiuy8xftjtb.fsf@echo.linpro.no>

On Wed, Aug 27, 2003 at 01:35:12PM +0200, Tore Anderson wrote:

>  with is that the C-R system in question ignores the fact that SMTP
>  headers are trivially (and regulary) forged.  I believe this is deliberate,
>  and that TMDA does not attempt to verify that the recipient of the
>  challenge truly was the sender of the original e-mail.  (If it did, I
>  would have no problem with it at all.)

You do realise that all parts of SMTP are generally completely
unauthenticated and can be trivially forged?  A system like this has no
option but to work with unauthenticated data.

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."

Reply to:

Follow-Ups:
- Re: tmda: Challenge-response is fundamentally broken
  - From: Kalle Kivimaa <kalle.kivimaa@iki.fi>
- Re: tmda: Challenge-response is fundamentally broken
  - From: Tore Anderson <tore@linpro.no>

References:
- Re: tmda: Challenge-response is fundamentally broken
  - From: Tore Anderson <tore@linpro.no>
- Re: tmda: Challenge-response is fundamentally broken
  - From: Stephen Stafford <ssta@pol.ac.uk>
- Re: tmda: Challenge-response is fundamentally broken
  - From: Tore Anderson <tore@linpro.no>

Prev by Date: Re: tmda: Challenge-response is fundamentally broken
Next by Date: Re: cpu usage, consideration of others, apt-listbugs
Previous by thread: Re: tmda: Challenge-response is fundamentally broken
Next by thread: Re: tmda: Challenge-response is fundamentally broken
Index(es):
- Date
- Thread