I wrote a long post about the Efail disclosure to stop myself from tweeting about it anymore. Also it says mean things about PGP which I will regret for months.https://blog.cryptographyengineering.com/2018/05/17/was-the-efail-disclosure-horribly-screwed-up/ …
-
FWIW, as much as I still think the disclosure was a huge snafu, I do agree that PGP is probably due for replacement (and PGP *mail* in particular is a big mess). Just without the omg panic style.
If I had to put the root causes in decreasing order of sadness it would be HTML email privacy still being crap, PGP mail standards being terrible, forgetting to check return codes, and gnupg's behavior with legacy ciphers.
-
-
Could HTML email privacy ever not be crap?
-
Yes. You sandbox the HTML renderer and not give it network access. At all. We should already be doing that for hardening anyway, like browsers do. Instead of this stupid whack-a-mole of what network-related HTML feature did we forget to lock down today.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.