HomeAboutMailing ListList Chatter /0/0

PGP Broken. Long Live PGP

2018-05-14 by: Stephen Kraus
From: Stephen Kraus 

=============================================================== From: Joel ------------------------------------------------------ Great subject line, Stephen. Does anyone know of another asymmetric encryption protocol that addresses some of PGP's design weaknesses? I'd love to use something like Signal, but I prefer using open protocols rather than particular projects' products. Thanks! Joel Swanson

=============================================================== From: Keith ------------------------------------------------------ A couple of things: 1) Isn=E2=80=99t Signal Open Source and using open protocols already? 2) My understanding of the E-Fail exploit is that it is not an issue with the PGP encryption itself, it=E2=80=99s an issue with the way email clients/plug-ins are implementing it. ties-require-you-take-action-now chment.html

=============================================================== From: Stephen Kraus ------------------------------------------------------ The problem is that the misconfiguration results in retrieving an decrypted message whereas it should cause an error and fail to decrypt. That's the bug. Yes, its easily fixed with ensuring the user has his setup configured correctly, but PGP also needs to ensure that it doesn't result in it spitting out decrypted messages rather than alerting the user to an error while maintaining encryption.

=============================================================== From: Sean Brewer ------------------------------------------------------ Signal's protocol and software is open and has been from the start. You can find the source for the various Signal applications and the protocol libraries they maintain here: https://github.com/signalapp ut