I wrote a long post about the Efail disclosure to stop myself from tweeting about it anymore. Also it says mean things about PGP which I will regret for months.https://blog.cryptographyengineering.com/2018/05/17/was-the-efail-disclosure-horribly-screwed-up/ …
FWIW, as much as I still think the disclosure was a huge snafu, I do agree that PGP is probably due for replacement (and PGP *mail* in particular is a big mess). Just without the omg panic style.
-
-
"PGP is probably due for replacement" is, at this point, an evergreen infosec tweet
-
Just remember that for all its flaws, one of the Efail approaches doesn't even rely on a core PGP problem at all, and the other one only works on ancient emails for clients that correctly check error codes. PGP has problems, but isn't the biggest contributor here.
- Show replies
New conversation -
-
-
If I had to put the root causes in decreasing order of sadness it would be HTML email privacy still being crap, PGP mail standards being terrible, forgetting to check return codes, and gnupg's behavior with legacy ciphers.
-
Could HTML email privacy ever not be crap?
- Show replies
New conversation -
-
-
We heard a lot of people saying "OpenSSL should be replaced" when Heartbleed was disclosed. Same thing happens here with GPG. Fact is lots of projects still use OpenSSL. Same might happen with GPG. As usual, lots of people complain, not a lot of people propose alternatives/fixes.
-
The difference is TLS is a much better place as a standard and has multiple popular implementations (and new ones are being written to address the problems), while PGP is basically a GPG monoculture. It's a much smaller community.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.