This is the tweet to link to, to end this silly debate.https://twitter.com/tqbf/status/996056901514420224 …
-
GPG supports MDCs and returns an error when they're suspiciously missing or wrong. We've already gone over the reasons why it can't fail early without returning any plaintext. It's not perfect, but most of the problem here is MUAs, not PGP.
I'm sure we can argue about just how clear usage requirements were, but when someone takes a decade+ old crypto flaw and uses it together with application logic mistakes and security issues, the correct response isn't "PGP is terrible, broken and doomed, stop using it".
-
-
The entire thing hinges on two scenarios: out of context decryption (100% an application layer problem) and in-context mutation (abuses known malleability problem; ignoring error code from mitigations is an application layer problem) all relying on an app layer back channel.
-
PGP shouldn’t have this malleability. Full stop.
End of conversation
New conversation -
-
-
Yes, I agree though, that remediation advice was garbage.
-
And I can’t think of any other time I would use that word in this context. Absolute garbage, bullshit, thank you for your good work but you have hit your wall terrible.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.