OK I'm getting pretty bored with this, it's already been decided by Kevin it won't be accepted, but I'll answer this last message since it attempts to directly address a challenge I made.
On Sat, Apr 18, 2020 at 08:00:24PM -0400, Remco Rijnders wrote: > On Sat, Apr 18, 2020 at 06:23:53PM -0500, Derek wrote in > <20200418232353.gm19...@bladeshadow.org>: > > > i'm sure one could come up with other data points if one is inclined > > > so. > > > > This is not a compelling argument, and I'm equally sure that you can't. > > "Ah... All this time you've been saying you do not know who Hot Lady 69 is, > but I see that your and her mail come from the same process, on the same > machine, with sequential ID's and just minutes apart. What gives?" etc [...] None of these are also compelling, partly because they all describe shady behavior, and I have never thought it to be Mutt's job to protect you from your own shady behavior. If you want to be shady, be also not stupid, or be prepared to accept the consequences of being caught being shady. They also require either full access to all of your e-mail, or to a very specific set of messages that bookends the period of bad behavior. That's not likely. The Hot Lady example is also another example of what I described before: it's irrelevant, because the message headers indicating the message came from the same source are already enough to incriminate you. In the case of actual criminal behavior, it's likely enough to justify a search warrant just about everywhere, if your local law enforcement even requires such things... The teen homework example is even more ridiculous because on top of all of those things, it also requires that a teen be using mutt to send e-mail, AND not be using instagram/snapchat instead, AND have a parent who is watching them so closely AND understands how Mutt's message IDs are generated AND IS ALSO NOT RUNNING THE E-MAIL SERVER the teen is using, so they could just read the messages. This is a pretty outlandish set of unlikely circumstances. None of this do I find compelling. > If (as ilf pointed out but which you did not address in your response to > him/her) the concerns raised in https://gitlab.com/muttmua/mutt/-/issues/159 > are valid there, why are they not valid in this context? I don't see anything I wrote at that link, but since you asked, I'll speak candidly. I largely think that change was also fairly pointless, however it's a change of default config only. As such I don't really care, anyone who wants to display their user agent still can, and it was never a required part of the spec. It does also identify PRECISELY which version of Mutt you're running, unlike the message-id generation, which may indicate very specifically what attack vectors are available to attack you through Mutt. I still don't consider that a very serious threat, because thankfully there have been blessedly few serious security issues in Mutt over its life. I will say this is in at least some small part because I have argued against code changes that provided little or no benefit or which degraded security for 20+ years, and managed to stop more than a few. You're welcome. =8^) -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
signature.asc
Description: PGP signature
