E-Mail is now 8-bit transparent!

From: Markus G. Kuhn (kuhn@cs.purdue.edu)
Date: Fri Jul 11 1997 - 16:57:48 EDT

Next message: Siobhan Harper-Jones: "Re[2]: Inconsistency in ISO 8859-1/8 tables"
Previous message: Kenneth Whistler: "Re: New Draft ISO 8859-0"
Next in thread: Tex Texin: "Re: E-Mail is now 8-bit transparent!"
Maybe reply: Tex Texin: "Re: E-Mail is now 8-bit transparent!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

"Alain LaBont/e'/ SCT" <alb@riq.qc.ca> wrote on 1997-07-11 07:11 UTC:
> You know, the 7-bit stripping of my messages is infinitely more
> problematic. And QUOTED-UNREADABLE too... outside of the English-speaking
> world we suffer when we want to speak our language with correspondents
> which happen to be located in SMTP-dogma-bound (mainly
> English-speaking-only) environments.

Oh, this old SMTP story again. SMTP is history. What happened is the
following: Many SMTP implementations, most notably Unix sendmail, have
suffered the discovery of *very* significant security vulnerabilities in
the past 24 months. If you are still using an old sendmail version,
then any 13-year old kid can now easily get supervisor access through your
sendmail program and read/destroy any file on your harddisk. Easy exploit
scripts are widely available, just check the bugtraq archives. Firewalls
do not prevent this attack form as firewalls forward the deadly
SMTP connections. The details are documented in numerous CERT
advisories.

The new software versions where these security bugs have been fixed
are all fully ESMTP capable, i.e. they are 8-bit transparent. Since
system administrators had to upgrade their legacy e-mail systems all over
the world last year for security reasons, we got a very fast and
complete ESMTP upgrade for free.

These events, which have been largely unnoticed by the character set
community, have practically eradicated old non-ESMTP versions of sendmail
from this planet and have therefore practically solved the old Internet
7-bit transparency problem. The 8-bit transparency statistics from 1995
are obsolete today. Quoted-printable encoding is obsolete today.

If you *do* know a host that has still an old 7-bit sendmail running, then
I can reformat the harddisk of this host at any time in a minute from
my desk here using easy-to-use plug-and-pray exploit scripts, and we
will have one 7-bit e-mail system less on the network. You should inform
the responsible system administrator about her negligence immediately,
referring her to

ftp://info.cert.org/pub/cert_advisories/CA-95:08.sendmail.v.5.vulnerability
ftp://info.cert.org/pub/cert_advisories/CA-96.24.sendmail.daemon.mode
ftp://info.cert.org/pub/cert_advisories/CA-97.05.sendmail

Markus

-- 
Markus G. Kuhn, Computer Science grad student, Purdue
University, Indiana, USA -- email: kuhn@cs.purdue.edu

Next message: Siobhan Harper-Jones: "Re[2]: Inconsistency in ISO 8859-1/8 tables"
Previous message: Kenneth Whistler: "Re: New Draft ISO 8859-0"
Next in thread: Tex Texin: "Re: E-Mail is now 8-bit transparent!"
Maybe reply: Tex Texin: "Re: E-Mail is now 8-bit transparent!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.2 : Tue Jul 10 2001 - 17:20:35 EDT