I’m reading the man page and looking for the place where GPG instructs users not to render plaintext if an MDC isn’t present on a message. Can someone help me find it?
-
-
Replying to @tqbf
Hmm, I think I'm on team client bugs. I know about gpg message modification, and have found attacks before (e.g. CVE-2006-0049). If client is not waiting for the DECRYPTION_OKAY status-fd message, that seems clearly client bug to me?
3 replies 3 retweets 16 likes -
Replying to @taviso
Everybody who works in cryptography vulnerabilities is just sort of staring at you slack-jawed. Don’t provide unauthenticated plaintext to callers.
2 replies 2 retweets 10 likes -
"Don't provide code execution, network access, and read access to private data to third parties" is a lot more fundamental.
1 reply 0 retweets 0 likes -
There are almost surely vulnerabilities using these same underlying HTML+DOM+JS crapware layer *design flaws* in HTML email clients that have nothing to do with crypto.
2 replies 0 retweets 0 likes
I wouldn't be surprised if there are tricks to exfiltrate continuation of a thread you were previously quoted on after you're un-cc'd from it.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.