ietf-openpgp
[Top] [All Lists]

Re: Anybody know details about Schneier's "flaw"?

2002-08-19 05:54:19
On Mon, 2002-08-19 at 13:29, Peter Gutmann wrote:

"Dominikus Scherkl" <Dominikus(_dot_)Scherkl(_at_)glueckkanja(_dot_)com> 
writes:

The whole attack looks very suspicious to me...

On the grand scale of things, it has curiosity value, but not much more.  
There
[...]

  As a security threat, I'd say this rates somewhere down with "Router hit by
  meteorite", "Computer trampled by stampeding water buffalo", "Hard drive
  kidnapped by space aliens", and similar stuff.

Sure, it is in theory possible, if you try really, really hard and are willing
to bend over backwards to cooperate with an attacker, to allow this kind of
attack to occur.  [...]  You're more likely to get someone's key by asking 
them

As I've said in my other mail it's really a problem of some mailreaders
being unclear. For example, evolution does not display any indication
that the displayed message was encrypted. (You have to enter the
passphrase the first time you look at an encrypted msg, but I usually
tell it to store the passphrase for the session, causing it to
auto-decrypt any further messages.

In other words: on technical grounds, I absolutely agree with you. BUT
with bad UIs in some mailreaders, and with the experience that users
generally are more stupid than anyone would believe, this type of attack
is very realistic.

Bot, and here I'm sure that your opinion is the same, this discussion is
not really on-topic on a technical mailing list... 

cheers
-- vbi

-- 
secure email with gpg                         http://fortytwo.ch/gpg

Attachment: signature.asc
Description: This is a digitally signed message part