On Sun, Apr 19, 2020 at 07:38:39AM -0400, Remco Rijnders wrote: > On Sat, Apr 18, 2020 at 09:13:34PM -0500, Derek wrote in > <20200419021334.go19...@bladeshadow.org>: > > OK I'm getting pretty bored with this, it's already been decided by > > Kevin it won't be accepted, but I'll answer this last message since it > > attempts to directly address a challenge I made. > > Your initial response to my patch was in GB19544 from 19:59 on Friday. Then > you moved on to do some other things and sent some other emails (on what and > where I do not know, but I am reasonably confident there were two of them) > before returning to this thread at 02:40 Friday on Saturday night in message > GE19544. No further emails were sent by you till 12:04 on Saturday when you > returned to this thread by message GF19544 -- I hope you slept well. > > And then: > GG19544 12:17 > GH19544 12:17 > GI19544 12:26 > GJ19544 12:33 > GK19544 13:12 > GL19544 13:23 > GM19544 18:23 (Did you go out to shop, or did you work a bit in the > garden?) > GN19544 18:34 > GO19544 21:13
Are you kidding me with this? As I've already pointed out, the times I posted were already plainly visible, necessarily, in the headers of my messages. Needless to say I don't feel threatened by any of that, and if I were inclined to be, I would not be posting messages in a public forum. The fact that I may have sent 2, or 28, or ... some other number of messages which you can not in fact determine reliably in between is not particularly interesting. Presumably people use their e-mail clients to send messages--that's what they're for. You learned, in sum total, exactly nothing. What I came back to this thread to post about was that I'm glad to see others discussing the difficulties with some of the suggestions, like hashing (hash what? How do you make sure it remains unique/avoids collisions, and is not susceptible to dictionary attack?), potentially adding dependencies on cryptographic libraries, etc., so I don't have to. It's what I was hoping would happen, so I didn't have to be the only one pointing that out. This is actually a much harder problem than it seems like it should be on the surface. Given the general lack of sensitivity of the information leaked, and how hard it is to actually produce a genuinely unique message ID without leaking any info, I think it's really a complete waste of time to spend any more time on this problem. Mutt's implementation is plenty good enough. In the over 20 years I've been on both Mutt lists, to my recollection I've never seen anyone post about EITHER a legitimate attack vector related to this, OR a practical problem caused by a real occurence of duplicated message IDs--that, we would have taken pretty seriously. It's been brought up a few times, but IIRC purely in a theoretical context. This problem Just Doesn't Matterâ„¢. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
signature.asc
Description: PGP signature
