GPZ> So we found these vulns related to CPU specula- Academia> ME ME ME TOO ALSO HERE'S A NAME AND A LOGO THE WORLD IS ENDING!!! Cure53> So Enigmail has some issue- Academia> OMG PGP IS DEAD EVERYONE STOP USING IT NOW ALSO NAME AND A LOGO!!! Starting to notice a pattern here.
-
I would go further: the fact that you can maul encrypted PGP emails in various ways was known well before Cure53. It’s been known since the late 1990s. But nobody has ever taken it seriously enough to comprehensively address it across all clients. Guess why?
IMO, because active content in e-mails is an ancient horse that has been beaten to death and the fact that this is *still* a problem just demonstrates a pervasive failure of email clients to take privacy seriously, PGP completely aside.
-
-
This isn’t just about active content. It’s about the fact that active content can be subtly and comprehensively inserted into encrypted emails using very sophisticated cryptographic techniques, AND that content can be made to exfiltrate other encrypted portions of the data.
-
When you simplify it to “active content” you do a disservice to both the cryptographic sophistication of the attack AND the severity of the vuln (particularly for S/MIME). This is why things don’t ever get fixed.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.