[Mimedefang] Minor web attachment privacy problem.
David F. Skoll
dfs at roaringpenguin.com
Thu Jun 26 17:07:01 EDT 2003
On Thu, 26 Jun 2003, Jeffrey Goldberg wrote:
> E can conclude that someone at A's site sent the document (or that someone
> at B's site was an intended recipient).
No; E can conclude only that someone, somewhere sent the document to someone
at B's site. (The sender might not have been at A's site.)
However, you're right; this does leak a little bit of information.
> Solution: Instead of taking the SHA hash of the document itself, take the
> SHA hash of the document concatenated with some secret (but constant)
> server key.
This is a good solution. I'll implement it for 2.35.
Regards,
David.
More information about the MIMEDefang
mailing list