HomeAboutMailing ListList Chatter /0/0 54.146.98.143

PGP Broken. Long Live PGP

2018-05-14 by: Stephen Kraus
From: Stephen Kraus 
------------------------------------------------------
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcg
bWFpbGluZyBsaXN0CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2Nn
aS1iaW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1Zwo=

=============================================================== From: Joel ------------------------------------------------------ Great subject line, Stephen. Does anyone know of another asymmetric encryption protocol that addresses some of PGP's design weaknesses? I'd love to use something like Signal, but I prefer using open protocols rather than particular projects' products. Thanks! Joel Swanson

=============================================================== From: Keith ------------------------------------------------------ A couple of things: 1) Isn=E2=80=99t Signal Open Source and using open protocols already? 2) My understanding of the E-Fail exploit is that it is not an issue with the PGP encryption itself, it=E2=80=99s an issue with the way email clients/plug-ins are implementing it. ties-require-you-take-action-now chment.html

=============================================================== From: Stephen Kraus ------------------------------------------------------ The problem is that the misconfiguration results in retrieving an decrypted message whereas it should cause an error and fail to decrypt. That's the bug. Yes, its easily fixed with ensuring the user has his setup configured correctly, but PGP also needs to ensure that it doesn't result in it spitting out decrypted messages rather than alerting the user to an error while maintaining encryption.

=============================================================== From: Sean Brewer ------------------------------------------------------ Signal's protocol and software is open and has been from the start. You can find the source for the various Signal applications and the protocol libraries they maintain here: https://github.com/signalapp ut