Is ROPEMAKER a threat to email security?

edited September 2017 in Site discussion

imageIs ROPEMAKER a threat to email security?

Read the full story here


Comments

  • So mimecast are making noise coz the bigcats wont listen?? maybe they did listen, check patch Tuesday, it has a lot of vulrenabilities in it and its its just hidden coz they don't want to give mimecast the light.

    although its questionable why would mimecast put people at risk when they know a lot of people dont like installing updates, i mean a lot of companies are still rolling out windows xp even now and we all know how unsafe that thing is

  • edited September 2017

    So what you guys are saying is, I can send you a link, and then change where that link goes to after the fact? no shit. Maybe I go further than a link and embed a remote script that I change after the fact.... no shit. and the name "Ropemaker"? lol. get out please. you know what other exploit I discovered today? If people gain direct access to your PC they can shut it down by unplugging it from the wall.... SHIT guys. I call it "PISS" or "Power Interrupted System Side". stop kek pls.

  • Your article is detailed, thanks to it I solved the problem I am entangled. I will regularly follow your writers and visit this site daily.
    wings io

  • a lot of confusion in both this article and comments. A few notes:

    1) there is no such thing as "falling between vulnerability and a design flaw". In the security context, all design flaws pose vulnerabilities, just think a little bit about what you are saying, also have a look at wikipedia https://en.wikipedia.org/wiki/Vulnerability_(computing) ;

    2) the size of emails using the Matrix technique could be a small give a away indeed but there is another technique that I labelled 'Content Property' which does not have that limitation;

    3) Microsoft Outlook for Mobile accepts this content by default. More importantly, even when it's blocked, the only reason presented in its warning banner is Privacy and applied to a different resources (Images), so even those users that accepted the warning banner, have been accepting a different risk;

    4) Perhaps the main problem was not even covered here - breaking non repudiation. It doesn't even matter if a user has accepted the warning (if there is any), the problem is that users rely on emails as documents to take decisions, for auditing, e-commerce, for presenting evidence in court, etc. When someones treats this as a Trust problem they fail to acknowledge that you are more likely to be blackmailed or bribed from someone with whom you already have some level of trust to accept the communication in the first place. Trust between humans is not a static thing, it's something that changes all the time (that's why you have divorce!) yet messages received over email shouldn't i.e. they should be able to provide (immutable) textual evidence with Integrity over transmitted data but unfortunately they don't;

    5) No tools out there, detect or are able to perceive the non repudiation problem above;

    6) This can be done even in the presence of PGP or S/MIME which take extra measures to prevent such a threat but fall short to do so, which provides even more credibility to these emails yet based on false expectations. Note that these technologies are generally only available for native email clients (the ones that are affected) since they aim to provide end-to-end encryption;

    7) you can read more about ROPEMAKER in my paper at http://www.digitalloft.org/init/plugin_wiki/page/ropemaker

    Kind regards,
    Francisco Ribeiro

Sign In or Register to comment.