Hi,
On 4/30/19 3:19 PM, Stephen Farrell wrote:
On 30/04/2019 13:29, ilf wrote:
https://github.com/RUB-NDS/Johnny-You-Are-Fired
https://raw.githubusercontent.com/RUB-NDS/Johnny-You-Are-Fired/master/paper/johnny-fired.pdf
Great work, thanks! I guess that's another fine
demonstration that code that's not really used
in anger enough tends to have lots of frailties;-(
A comment and a question:
- I think it'd be a fine thing if this were to be
presented at an IETF meeting - if some of the
authors are going to be at one of those (or
would present remotely) then contacting the
security area directors and asking for a slot at
some saag session would be a fine thing.
I don't think any of us are at IETF meetings, but maybe something could
be arranged, depending on the details. We will present at USENIX
Security 2019, of course.
- I wasn't clear how to interpret the missing
combinations from Table 2, e.g. does the lack of
mention of the Linux/TB/Enigmail combination mean
that it was not vulnerable to the attacks or that
it was not tested? (Or that it's almost certainly
vulnerable but you'd already broken so much so well,
it wasn't worth specifically documenting;-)
We did not include redundancies, for several reasons:
* They would bias our evaluation result (we don't want to inflate our
attack success rate artificially),
* systematic testing is a lot of effort, so we had to limit the number
of combinations, and
* completeness is not feasible anyway. For example, you could also
combine several attack types in a single attack to achieve an even
higher success rate, but we did not evaluate that.
BTW, other examples missing are Trojitá and KMail under Windows.
In the case of Thunderbird I feel comfortable to say that all OpenPGP
test cases have been developed under Linux and then confirmed on
Windows, but we don't say that in the paper.
Of course, we published our test cases, so it is easy to check
additional combinations and software platforms!
Thanks,
Marcus
--
Dipl.-Math. Marcus Brinkmann
Lehrstuhl für Netz- und Datensicherheit
Ruhr Universität Bochum
Universitätsstr. 150, Geb. ID 2/461
D-44780 Bochum
Telefon: +49 (0) 234 / 32-25030
http://www.nds.rub.de/chair/people/mbrinkmann
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp