[Autocrypt] EFF Warning about PGP ...
Bjarni Runar Einarsson
bre at pagekite.net
Tue May 15 11:38:56 EDT 2018
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hellos!
Fun times.
To further clarify why the EFF may have gone ballistic with their
advisory (which I also mostly disagree with), there are always at
least two potential "oracles" for this attack - the sender and
the recipient. And anyone else in the conversation.
So in a conversation involving three people, only one of them
needs to be running a vulnerable software stack for the entire
conversation to be exfiltrated.
Related to this, I was asked on Mastodon whether Autocrypt
mandated plain-text only messages (forbidding HTML) for encrypted
content, to which I replied with a "nope."
I am actually not of the opinion that we should go that far,
since it might preclude some very interesting rich media apps
from being built on top of Autocrypt... but I did just make that
the default policy in Mailpile when rendering encrypted mail.
I would support a "SHOULD NOT load external content from
encrypted HTML" addition to the Autocrypt spec. What do you guys
think? Is that sort of thing on-topic?
- Bjarni
azul <azul at riseup.net> wrote:
>
> No, you would see a completely new message that was encrypted.
> The content of the message will be html. inside that html
> somewhere there is / are potentially hidden images
...
- --
PageKite.net lets your personal computer be part of the web
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCgAGBQJa+v8hAAoJEI4ANxYAz5SRFOAIAIKo5UHwHgmYeQ0f752AQAuT
LHkoXIi+fdJCaolu0q5v6s0EjR5M4Tw+bZ4Mn3Ggp+1T3lDm/8LPzNi4gi0XuJWa
/BEgROjgJpaUX6FmmRvGp/cHswqSgC2BXQFacGG5Oxt4cbNAmtV0bfvHN2hRXkza
Be23EhDBLwNQ8/U6kBUq7G7/xQwsz9d9h/KOfUPByHG3N1QVXkIwWMcsesmMUFax
0KuJxhv/xUiXJHepCvfG2qydBGsBvHwVw3tkAVJTQ+8rScl10oJLycARvHdKmi1A
24T/KaPqAWw/VvLSqIqY8/jbjyISB2lJvQKaMBYobrHFEsNQIP4FKH53JexjRKM=
=GpVW
-----END PGP SIGNATURE-----
More information about the Autocrypt
mailing list