Home page logo

bugtraq logo Bugtraq mailing list archives

Re: PGP 6.5.1 has been released
From: mdw () EBI AC UK (Mark Wooding)
Date: Tue, 13 Jul 1999 10:14:13 +0100

___Viper___ _ <viper_____ () HOTMAIL COM> wrote:

"Having the option" never hurt anyone.  You can produce SDAs, and use
them if you wish, AND you can NOT open executables that arrived in
your mailbox and you don't trust.

In this particular case, it's even sillier than usual.

There's now an active attack against symmetric passphrases.  I can
fiddle with an SDA in transit so that it does its job normally and also
emails me the passphrase that successfully decrypted the archive.

So basically it's `protected by PGP's strong cryptography' which is
entirely wasted by a brain-damaged idea that some marketroid probably
thought would look kewl with a tick in the box next to it.

And that's without Steven Bellovin's completely legitimate concerns
about `executable content' in general: rich computing experiences and
all that.


It's madness to say that it is a "security threat".  With your logic,
e-mailing is a security threat as well ;-) Who knows what you can send
over e-mail !

Quite so.  I make sure that my mail reader won't do anything with a
message other than display it in a text window until I've had a chance
to examine it and decide what should happen next.

Executable email messages are one of the worst ideas I've ever heard
of.  And that's saying something.

[Thanks to Clive Jones, who came up with the attack above.]

-- [mdw]

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]