GPZ> So we found these vulns related to CPU specula- Academia> ME ME ME TOO ALSO HERE'S A NAME AND A LOGO THE WORLD IS ENDING!!! Cure53> So Enigmail has some issue- Academia> OMG PGP IS DEAD EVERYONE STOP USING IT NOW ALSO NAME AND A LOGO!!! Starting to notice a pattern here.
-
Did Cure53 get arbitrary plaintext exfiltration across many clients? Serious question. I missed this result. Link?
"Arbitrary" is, er, rather generous. But sure, Cure53 didn't get the automated exfiltration, but did set the stage with the partial decryption story. My point is rather about the FUD that academic security teams seem to be rather prone to lately.
-
-
I would go further: the fact that you can maul encrypted PGP emails in various ways was known well before Cure53. It’s been known since the late 1990s. But nobody has ever taken it seriously enough to comprehensively address it across all clients. Guess why?
-
IMO, because active content in e-mails is an ancient horse that has been beaten to death and the fact that this is *still* a problem just demonstrates a pervasive failure of email clients to take privacy seriously, PGP completely aside.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.