Home page logo

bugtraq logo Bugtraq mailing list archives

Re: PGP 6.5.1 has been released
From: kjahds () KJAHDS COM (Kenneth Albanowski)
Date: Mon, 12 Jul 1999 19:20:13 -0400

On Wed, 7 Jul 1999, Steven M. Bellovin wrote:

Self-Decrypting Archives. You may now encrypt files or folders into
Self-Decrypting Archives (SDA) which can be used by users who do not even
have PGP. The archives are completely independent of any application,
compressed and protected by PGP's strong cryptography.

I'm glad this was on bugtraq -- any crypto product with "self-decrypting
archives" is a serious security threat, at least for the other versions I've
seen.  They involve an executable that does *something* -- but what?  The
world has recently learned what I hope the folks on this list have long
known -- that you can't trust email with executable content.

For what it is worth, I'd consider an SDA to have one specific benefit in
a data storage situation: if recovery of the data is needed in an
emergency, or at a time in the future when locating the encryption
software is difficult, the chances are much better that you'll be able to
get the data unpacked. (You can accomplish something similar by storing a
copy of the PGP executable near the data.)

However, for data communications, I'd agree that SDAs are just tempting
fate. They might be used successfully in some particular situations
(transmission over of data & executable over channels that can be snooped
but not modified) but seem to be tempting fate.

Kenneth Albanowski (kjahds () kjahds com, CIS: 70705,126)

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]