On Jul 4, 2008, at 10:00 AM, Maurice Volaski wrote:
Please bear in mind that in the world of cryptography, the difference
between proper error messages and information disclosure
vulnerabilities is narrow, or only a nuance.
IMHO, you have it backwards. It is the improper error messages that
can pose a security risk. If my OpenSSH program is either
misconfigured or malfunctiong, and it may be exposing my systems to
something nefarious, then how am I to efficiently debug it
That's why it fails at that point.
-b
