There was a sporadic problem with our IMAP/PHP session management that occured around the 6th and 7th of this month. It was caused by a race condition that occasionally resulted in non-unique session IDs, in which case the second party to receive the duplicate ID would have limited access to the first party's IMAP account. I stress that this did not compromise private keys, passphrases, or encrypted mail at any point, as all encryption operations are handled in the client Java applet. There was no opening for a targeted attack - what exposure resulted was random. Sorry if this is a repeat post. Brian Smith, Hush Communications brian.smithat_private >Upon inquiry Hushmail confirmed that > they had a problem with user authentification but they > state that no encrypted email was exposed. I also have > to add that the PGP signature on the email sent > through my account did not verify. Nevertheless, the > email originated from Hushmails mailserver and reached > a recipient _containing_ a previous email. This can do > some serious damage to people handling confidential > matters through Hushmail. Hushmail states that the > problem has been fixed.
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 20:35:56 PDT