1. Forum
  2. Usenet
  3. COMP.SECURITY.SSH

  • How to send info by using an encrypted communications channel

    From [email protected]@21:1/5 to All on Fri Apr 19 07:03:28 2019
    I found a possible vulnerability and after reading info on the putty site, it said the best way to let us know is by using an encrypted communications channel. I have no idea how to do that.
    Can some one explain? Do I attached something to an email, go to a specific web address?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon Tatham@21:1/5 to [email protected] on Fri Apr 19 15:49:48 2019
    <[email protected]> wrote:
    I found a possible vulnerability and after reading info on the putty
    site, it said the best way to let us know is by using an encrypted communications channel. I have no idea how to do that.

    At the moment, if you have a vulnerability to report in PuTTY, you'd
    do best to report it through the HackerOne link in the news section on
    the front page, because you can earn a bounty if it's a valid report.

    Failing that, the usual approach is to send GPG-encrypted email to the development team, using the secure contact key on the Keys page of the
    web site.
    --
    import hashlib; print((lambda p,q,g,y,r,s,m: (lambda w:(pow(g,int(hashlib.sha1( m.encode('ascii')).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r and m)(0xb80b5dacabab6145,0xf70027d345023,0x7643bc4018957897,0x11c2e5d9951130c9 ,0xa54d9cbe4e8ab,0x746c50eaa1910, "Simon Tatham <[email protected]>" ))

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From [email protected]@21:1/5 to Simon Tatham on Fri Apr 19 09:39:33 2019
    On Friday, April 19, 2019 at 10:49:52 AM UTC-4, Simon Tatham wrote:
    <[email protected]> wrote:
    I found a possible vulnerability and after reading info on the putty
    site, it said the best way to let us know is by using an encrypted communications channel. I have no idea how to do that.

    At the moment, if you have a vulnerability to report in PuTTY, you'd
    do best to report it through the HackerOne link in the news section on
    the front page, because you can earn a bounty if it's a valid report.

    Failing that, the usual approach is to send GPG-encrypted email to the development team, using the secure contact key on the Keys page of the
    web site.
    --
    import hashlib; print((lambda p,q,g,y,r,s,m: (lambda w:(pow(g,int(hashlib.sha1(
    m.encode('ascii')).hexdigest(),16)*w%q,p)*pow(y,r*w%q,p)%p)%q)(pow(s,q-2,q))==r
    and m)(0xb80b5dacabab6145,0xf70027d345023,0x7643bc4018957897,0x11c2e5d9951130c9
    ,0xa54d9cbe4e8ab,0x746c50eaa1910, "Simon Tatham <[email protected]>" ))

    OK.
    After reading the HackerOne scope, looks like when logged on as a different user, I cannot see the vulnerability.
    So, I guess nothing to report.

    Thanks!

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)