On Mon, 24 Jul 2006 11:59:34 CDT, Paul Schmehl said: > What does that prove? > > telnet mail.40networks.com 25 > Trying 64.114.199.200... > Connected to mail.40networks.com. > Escape character is '^]'. > 220 40networks.com ESMTP Sendmail 8.13.1/8.13.1; Mon, 24 Jul 2006 > 09:45:17 -0700 > EHLO utdallas.edu Paul, Paul, Paul... You *really* need to pay attention. Yes, you can do the whole telnet thing. That wasn't what she said. What she *said* was that *if* I were to mail her a large random number, like this: % dd if=/dev/urandom bs=16 count=16 2> /dev/null | md5sum 63cbd14c2612b7cbc7b7ce6d0e0b7fcb - that she would be able to repeat that number back to me - proving that she's at least sufficiently Alice that she can read Alice's mail and respond to it. Strictly speaking, it doesn't prove she's Alice - but it proves she's in control of that e-mail address. Usually that's considered "close enough", as demonstrated by all the mailing list software that considers "reply to this random cookie/link/whatever to confirm your subscription" (which is exactly this same "proof of pseudo-identity"...) Yes, she could have hijacked the real Alice's e-mail account - but at that point, Alice has bigger problems already....
Attachment:
pgpMp4obEfjhq.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/