however, this is a list of people in the fore-front of addressing global security issues and -- i would think -- subscribers would certainly want their personal info (U.S. Title XIII PII) to be as secure as the issues they are grappling with rather than having it published in the clear. the security issue re the subscriber email addr spreads beyond the actual person as well. suppose we have henrietta schmidt who is the email security officer for xyz corp who is addressed as h.schm...@xyz.com. since most large firms and almost all gov agencies have rigid mailbox addressing schemes, it is quite possible to extrapolate from this one email addr to a much wider range. like xyz's CIO joe blow who is most likely to be found at j.b...@xyz.com or some close variant.
the payoffs for the successful breaching of systems of large firms and governments is huge and it does not require much imagination to deduce that the pantheon of perpetrators is large, their diligence is intense, and their numbers are not confined to a bunch of "script kiddies". quite plainly, i do not believe that openssl should be making their job easier.
-- Thank you, Johann v. Preußen On 2016.Apr.04 14:49, Jeffrey Walton wrote:
On Mon, Apr 4, 2016 at 5:32 PM, Johann v. Preußen <j...@forthepolls.org> wrote:right now our conversation is bi-directional since the listserv is off-line. i also looked at the headers and they do seem to originate within google itself ( bogon receipts). so, are you telling me that the mere fact that an email is addressed to the list will get it published without verifying that the sender is a subscriber? everything else i mention relate to the needless exposure of the subscriber's real name and email addr and the permitting of private anchors. obviously, i believe that these practices greatly increase security risks for the subscriber and will subject them to a potential flood of noxious junk.Yes, I agree Johann. The thing I would point out is there's usually no expectation of privacy with a mailing list, so users should not be surprised if their email address shows up in a traditional email header or an X-header somewhere. What piqued my interest was that sudden spurt of spam. Something was not right, but I could not finger it. Jeff
smime.p7s
Description: S/MIME Cryptographic Signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
