Phishing Server Change

Michael Weiser michael at weiser.dinsnail.net
Thu Aug 3 15:38:22 UTC 2017


Hi Jerry,

On Thu, Aug 03, 2017 at 01:03:07AM -0400, Jerry Benton wrote:

> Please use the updated version of the phishing updates script from
> http://phishing.mailscanner.info/

I just diffed the scripts with my v5 install and looked at the GitHub
repo. From that, do I assume correctly that v5 users don't need to do
anything because curl has been the default ever since the initial commit
in 2016?

Another tought: TLS supports compression which would be transparent and
therefore work with wget as well because it's handled by the TLS
implementation. It would also prevent tampering with the update in
transit and make it possible to verify authenticity of the update
source. With Let's Encrypt you wouldn't need to pay anything for the
certificate. The CRIME exploit based on TLS compression does not apply
here because the content is completely public and information leakage
isn't a problem.

The only problem I see is that some Linux distributions have actually
compiled TLS compression support out of the SSL implementations they
ship because of CRIME...
-- 
Thanks,
Michael


More information about the MailScanner mailing list