[Chandler-dev] Re: [Sum of Talk with Randy] Re: [cosmo-dev] options to fix security hole

[Jeffrey Harris]

Hi Grant,

> 1. Convincing ourselves that we can live with the threat. In other 
> words, we are OK given the combination of how rare we think said 
> eavesdropping will be, and how severe the above consequences are.

I'm pretty OK with this, but I realize there's likely to be a broad 
spectrum of opinion from users about security, hard to know where to 
draw the lines.

> 2. Adding some kind of warning/confirmation UI (possibly tied to a 
> preference) to the desktop client.

Sure.

> 3. Designing and implementing something more secure here (probably out 
> of scope, but if someone has a bright and easily implemented idea ...).

My only thought is instead of issuing the real ticket, we could issue a 
use-once ticket that returns the real ticket.  That way if you add the 
item and it works, you know the NSA didn't hack your data using that 
particular vector.  This of course would rely on us sending different 
tickets to different recipients, which we aren't doing now.

Doesn't seem worth the effort to me, but I thought I'd mention it.

> 4. Living with the bug, i.e. not allowing users to add items they 
> receive via email to new collections.

Not ideal, seems to me.

Sincerely,
Jeffrey