On Sun, Feb 07, 2010 at 12:44:52PM -0500, erik quanstrom wrote: > 1. the sender can't control email headers. many > transfer agents add a random transfer-id which > would confound this attack. > > 2. if the rcpt uses mbox format, the sender can't > control how your message is fit into venti blocks. > the sender would need to control the entire > mail box.
Fine, so he sends the evil document as a MIME attachment and you decode it into its own file to see what it is, just as fossil takes its nightly snapshot and flings data off to venti. > 3. http://en.wikipedia.org/wiki/SHA_hash_functions > says that there have been no SHA1 collisions found. Up until relatively recently, that would have been true for MD5 as well. --nwf;
pgpL8HYaPnHAN.pgp
Description: PGP signature
