I’m reading the man page and looking for the place where GPG instructs users not to render plaintext if an MDC isn’t present on a message. Can someone help me find it?
-
-
Replying to @tqbf
Hmm, I think I'm on team client bugs. I know about gpg message modification, and have found attacks before (e.g. CVE-2006-0049). If client is not waiting for the DECRYPTION_OKAY status-fd message, that seems clearly client bug to me?
3 replies 3 retweets 16 likes -
Replying to @taviso
Everybody who works in cryptography vulnerabilities is just sort of staring at you slack-jawed. Don’t provide unauthenticated plaintext to callers.
2 replies 2 retweets 10 likes -
"Don't provide code execution, network access, and read access to private data to third parties" is a lot more fundamental.
1 reply 0 retweets 0 likes -
There are almost surely vulnerabilities using these same underlying HTML+DOM+JS crapware layer *design flaws* in HTML email clients that have nothing to do with crypto.
2 replies 0 retweets 0 likes -
-
I'd rather just throw out ideas and let someone with interest find and publicize them. To me, the whole architecture is a design flaw and the right solution is "don't use HTML+DOM+JS-based mail clients, instead strip HTML mail down to plain text with dumb filters".
1 reply 0 retweets 0 likes -
Replying to @RichFelker @taviso
I think the 1,000 Angriest Unix Sysops Brigade has opinions about HTML email that differ starkly from the other 7.6 billion people in the world.
1 reply 0 retweets 0 likes
It's just a matter of knowledge. If you sat down a random sample of those 7.6 billion and explained the privacy & safety implications of badly-designed HTML mail, something like 75-95% would be quite unhappy.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.