Re: PGP 6.5.1 has been released

[mdw () EBI AC UK (Mark Wooding)]

___Viper___ _ <viper_____ () HOTMAIL COM> wrote:

> "Having the option" never hurt anyone.  You can produce SDAs, and use
> them if you wish, AND you can NOT open executables that arrived in
> your mailbox and you don't trust.

In this particular case, it's even sillier than usual.

There's now an active attack against symmetric passphrases.  I can
fiddle with an SDA in transit so that it does its job normally and also
emails me the passphrase that successfully decrypted the archive.

So basically it's `protected by PGP's strong cryptography' which is
entirely wasted by a brain-damaged idea that some marketroid probably
thought would look kewl with a tick in the box next to it.

And that's without Steven Bellovin's completely legitimate concerns
about `executable content' in general: rich computing experiences and
all that.

Duh.

> It's madness to say that it is a "security threat".  With your logic,
> e-mailing is a security threat as well ;-) Who knows what you can send
> over e-mail !

Quite so.  I make sure that my mail reader won't do anything with a
message other than display it in a text window until I've had a chance
to examine it and decide what should happen next.

Executable email messages are one of the worst ideas I've ever heard
of.  And that's saying something.

[Thanks to Clive Jones, who came up with the attack above.]

-- [mdw]