The problem is not that the issue is related to email address disclosure, but that it shows that the project is struggling with minor/trivial tasks. Security is based on trust. I have to trust "Let's Encrypt" that their do their cerfication correctly and that nobody else has access to their infrastructure. And this incident at least doesn't increase my trust.
That is why I kinda disagree with Nisto. No security is better than the false sense of security, which is deceiving and dangerous.
|