I wrote a long post about the Efail disclosure to stop myself from tweeting about it anymore. Also it says mean things about PGP which I will regret for months.https://blog.cryptographyengineering.com/2018/05/17/was-the-efail-disclosure-horribly-screwed-up/ …
-
"PGP is probably due for replacement" is, at this point, an evergreen infosec tweet
Just remember that for all its flaws, one of the Efail approaches doesn't even rely on a core PGP problem at all, and the other one only works on ancient emails for clients that correctly check error codes. PGP has problems, but isn't the biggest contributor here.
-
-
The MIME parsing stuff is super duper embarrassing. It’s obvious they were working on the crypto attack and just stumbled on this.
-
“We figured out how to pick the door lock but then we noticed all the windows were open” is not a great excuse for the security of someone’s building.
- Show replies
New conversation -
-
-
Whichever is the “bigger” problem, it remains a huge one that PGP uses a mode that has been known to be insecure for nearly 2 decades. That vulnerability has now been exploited. The fact that PGP advocates don’t acknowledge this does little for their credibility.
-
I have some sympathy for slowness in moving to AE. We only did so in 2012. But saying “I can continue to use actively exploited broken crypto, because I can’t see how someone might exploit it in my system” is not good.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.