Bugtraq mailing list archives
Re: PGP 6.5.1 has been released
From: mdw () EBI AC UK (Mark Wooding)
Date: Tue, 13 Jul 1999 10:14:13 +0100
___Viper___ _ <viper_____ () HOTMAIL COM> wrote:
"Having the option" never hurt anyone. You can produce SDAs, and use them if you wish, AND you can NOT open executables that arrived in your mailbox and you don't trust.
In this particular case, it's even sillier than usual. There's now an active attack against symmetric passphrases. I can fiddle with an SDA in transit so that it does its job normally and also emails me the passphrase that successfully decrypted the archive. So basically it's `protected by PGP's strong cryptography' which is entirely wasted by a brain-damaged idea that some marketroid probably thought would look kewl with a tick in the box next to it. And that's without Steven Bellovin's completely legitimate concerns about `executable content' in general: rich computing experiences and all that. Duh.
It's madness to say that it is a "security threat". With your logic, e-mailing is a security threat as well ;-) Who knows what you can send over e-mail !
Quite so. I make sure that my mail reader won't do anything with a message other than display it in a text window until I've had a chance to examine it and decide what should happen next. Executable email messages are one of the worst ideas I've ever heard of. And that's saying something. [Thanks to Clive Jones, who came up with the attack above.] -- [mdw]
Current thread:
- PGP 6.5.1 has been released Cody Brownstein (Jul 06)
- Re: PGP 6.5.1 has been released Nick_ (Jul 07)
- Security Bulletins Digest aleph1 () UNDERGROUND ORG (Jul 08)
- <Possible follow-ups>
- Re: PGP 6.5.1 has been released Steven M. Bellovin (Jul 07)
- Re: PGP 6.5.1 has been released Kenneth Albanowski (Jul 12)
- Re: PGP 6.5.1 has been released ___Viper___ _ (Jul 11)
- Re: PGP 6.5.1 has been released Mark Wooding (Jul 13)
- Re: PGP 6.5.1 has been released Joel Eriksson (Jul 13)