On 09/22/2016 12:02 PM, Michael Fischer wrote:
OCSP Status Request extension unbounded memory growth (CVE-2016-6304) ===================================================================== Severity: High A malicious client can send an excessively large OCSP Status Request extension. .... </quote> I have no doubt about the existence of 'malicious clients'. But like we advise people not to use HTML mail and not click on those seeming innocent links that actually lurk underneath the innocent looking link, and not to open attachments from people you don't know, there's a 'don't visit strange sites' etc etc advice we give, or should give out users. It's futile, though. Yes, I'm sure Good Sites can be hacked, friends and relatives and otherwise bone fide correspondents get their accounts hacked or their email spoofed and things turn nasty. But don't deliberately go out there and cause confusion and invite malware. You may end up being that 'trusted correspondent' who actually has their account hacked. What's the couplet from that Don McLean song They would not listen, they're not listening still Perhaps they never will -- The mantra of any good security engineer is: 'Security is a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together. -- Bruce Schneier -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org