[openssl-users] Fwd: CONGRATULATION____REF#87670

Johann v. Preußen jvp at forthepolls.org
Mon Apr 4 22:21:23 UTC 2016


if this list was for tex-mex cooking recipes or ES vacation rentals, i would 
agree that expectations for privacy might be very low and individual subscribers 
are responsible to be as circumspect as they personally feel they must be.

however, this is a list of people in the fore-front of addressing global 
security issues and -- i would think -- subscribers would certainly want their 
personal info (U.S. Title XIII PII) to be as secure as the issues they are 
grappling with rather than having it published in the clear. the security issue 
re the subscriber email addr spreads beyond the actual person as well. suppose 
we have henrietta schmidt who is the email security officer for xyz corp who is 
addressed as h.schmidt at xyz.com. since most large firms and almost all gov 
agencies have rigid mailbox addressing schemes, it is quite possible to 
extrapolate from this one email addr to a much wider range. like xyz's CIO joe 
blow who is most likely to be found at j.blow at xyz.com or some close variant.

the payoffs for the successful breaching of systems of large firms and 
governments is huge and it does not require much imagination to deduce that the 
pantheon of perpetrators is large, their diligence is intense, and their numbers 
are not confined to a bunch of "script kiddies". quite plainly, i do not believe 
that openssl should be making their job easier.

--
Thank you,

Johann v. Preußen

On 2016.Apr.04 14:49, Jeffrey Walton wrote:
> On Mon, Apr 4, 2016 at 5:32 PM, Johann v. Preußen <jvp at forthepolls.org> wrote:
>> right now our conversation is bi-directional since the listserv is off-line.
>>
>> i also looked at the headers and they do seem to originate within google
>> itself ( bogon receipts). so, are you telling me that the mere fact that an
>> email is addressed to the list will get it published without verifying that
>> the sender is a subscriber?
>>
>> everything else i mention relate to the needless exposure of the
>> subscriber's real name and email addr and the permitting of private anchors.
>> obviously, i believe that these practices greatly increase security risks
>> for the subscriber and will subject them to a potential flood of noxious
>> junk.
> Yes, I agree Johann. The thing I would point out is there's usually no
> expectation of privacy with a mailing list, so users should not be
> surprised if their email address shows up in a traditional email
> header or an X-header somewhere.
>
> What piqued my interest was that sudden spurt of spam. Something was
> not right, but I could not finger it.
>
> Jeff


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3825 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160404/60486efa/attachment-0001.bin>


More information about the openssl-users mailing list