[21249] in bugtraq
Re: crypto flaw in secure mail standards
daemon@ATHENA.MIT.EDU (Richard Atterer)
Thu Jun 28 18:15:39 2001
Date: Thu, 28 Jun 2001 13:46:39 +0200
From: Richard Atterer <atterer@informatik.tu-muenchen.de>
To: bugtraq@securityfocus.com
Message-Id: <20010628134639.E5144@atterer.net>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="HcAYCG3uE/tztfnV"
Content-Disposition: inline
--HcAYCG3uE/tztfnV
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
There is another issue with the OpenPGP standard which should have
been addressed a long time ago: The "Subject:" line is not encrypted
for encrypted mail.
Even *if* you know about this, it is inconvenient: You always try to
find a subject which is still meaningful to the addressee, but not to
anyone else.
However, if a user does not know about this, it is a dangerous gap in
PGP's security: In many cases, one can deduce the content of the
encrypted mail from the subject header. PGP and MUAs with PGP support
should either make it very clear that the subject is not encrypted, or
(ideally) a facility for encrypted message headers should be added to
OpenPGP.
Richard
--=20
__ _
|_) /| Richard Atterer
| \/=AF| http://atterer.net
=AF =B4` =AF
--HcAYCG3uE/tztfnV
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (GNU/Linux)
iD8DBQE7Oxkfeeb23IiDVPcRAj8VAJkBTqqTSfrNJsA6FbvtdNcG6AR68QCgmSVB
48ovgNuYYkFcQQkf25UJxlc=
=sPWg
-----END PGP SIGNATURE-----
--HcAYCG3uE/tztfnV--
