Re: PGP 6.5.1 has been released

Mark Wooding (mdwEBI.AC.UK)
Tue, 13 Jul 1999 10:14:13 +0100

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Peter.FredrikssonSkriptor.com: "Re: aix 4.2 4.3.1, adb"
• Previous message: David LeBlanc: "DCOM Security references"

___Viper___ _ <viper_____HOTMAIL.COM> wrote:

> "Having the option" never hurt anyone. You can produce SDAs, and use
> them if you wish, AND you can NOT open executables that arrived in
> your mailbox and you don't trust.

In this particular case, it's even sillier than usual.

There's now an active attack against symmetric passphrases. I can
fiddle with an SDA in transit so that it does its job normally and also
emails me the passphrase that successfully decrypted the archive.

So basically it's `protected by PGP's strong cryptography' which is
entirely wasted by a brain-damaged idea that some marketroid probably
thought would look kewl with a tick in the box next to it.

And that's without Steven Bellovin's completely legitimate concerns
about `executable content' in general: rich computing experiences and
all that.

Duh.

> It's madness to say that it is a "security threat". With your logic,
> e-mailing is a security threat as well ;-) Who knows what you can send
> over e-mail !

Quite so. I make sure that my mail reader won't do anything with a
message other than display it in a text window until I've had a chance
to examine it and decide what should happen next.

Executable email messages are one of the worst ideas I've ever heard
of. And that's saying something.

[Thanks to Clive Jones, who came up with the attack above.]

-- [mdw]

• Next message: Peter.FredrikssonSkriptor.com: "Re: aix 4.2 4.3.1, adb"
• Previous message: David LeBlanc: "DCOM Security references"

This archive was generated by hypermail 2.0b3 on Mon Jul 12 1999 - 20:25:53 CDT