___Viper___ _ <viper_____at_private> wrote: > "Having the option" never hurt anyone. You can produce SDAs, and use > them if you wish, AND you can NOT open executables that arrived in > your mailbox and you don't trust. In this particular case, it's even sillier than usual. There's now an active attack against symmetric passphrases. I can fiddle with an SDA in transit so that it does its job normally and also emails me the passphrase that successfully decrypted the archive. So basically it's `protected by PGP's strong cryptography' which is entirely wasted by a brain-damaged idea that some marketroid probably thought would look kewl with a tick in the box next to it. And that's without Steven Bellovin's completely legitimate concerns about `executable content' in general: rich computing experiences and all that. Duh. > It's madness to say that it is a "security threat". With your logic, > e-mailing is a security threat as well ;-) Who knows what you can send > over e-mail ! Quite so. I make sure that my mail reader won't do anything with a message other than display it in a text window until I've had a chance to examine it and decide what should happen next. Executable email messages are one of the worst ideas I've ever heard of. And that's saying something. [Thanks to Clive Jones, who came up with the attack above.] -- [mdw]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:01 PDT