On 17 Mar 2005, at 3:42 AM, Ben Laurie wrote:
It's a small thing, but if message A has one attachment,
"Attachment.pgp", and message B has two attachments, "Text.pgp" and
"ZeSecretPlans.doc.pgp" -- which each decompose to the same mail
message -- one could argue that message A is more secure than message
B because it leaks less information about its internal structure.
Are attachment names really not encrypted? If they are (as they should
be) then the only threat is that an attacker knows the number and
(compressed) size of the attachments. I find it hard to get excited
about that.
No, they're not encrypted. This is part of MIME. The MIME part has a
file name, and that file name is in the clear. The PGP products do what
I described in my previous note; we name them AttachmentN.pgp, and
inside the literal packet is the actual name of the resultant file.
A number of systems do not encrypt the file names, even when they are
using OpenPGP/MIME.
Jon