[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Eion MacDonald via list wrote:
>
> I normally only use Enigmail/Thunderbird for signing, as
> secure messages now down via protonmail.ch if possible.
> But even signing seems effected to attach.
Hanno notes that the recent Thunderbird release to fix the HTML image link
flaw is an incomplete fix.
Stop fetching non-local content in HTML emails by default (if you ever
did), stops this whole class of issues.
The cryptographic weaknesses and flaws with PGP remain, some of these you
can mitigate with good choice of software and settings, some are inherent
to PGP model (no forward security). Although even there you can rotate
keys frequently to achieve a similar effect of hiding identity and
minimising risk from later key compromise (nothing like stopping using a
secret key, and burning the platforms it was on, to avoid having it
compromised).
> However "Signal" is based on ownership of a 'smartphone' (Android etc).
> So us older users who only use 2G phone/SMS phones cannot use Signal on
> desktop as "Signal" system is tied to a smartphone contact list.
I wouldn't recommend Signal for desktop, as the Desktop clients that are
available are based on the Electron Framework which is a mess, on Windows
it has had multiple issues that escalate XSS to remote code execution (and
I doubt the other platforms are much better). Although you can probably
virtualise that risk away if it is the best choice for you.
It is not enough to have strong cryptography it also has to be implemented
well, and deployed intelligently.
The EFF has discontinued their secure messaging Score card with a "think
about what you need" message (probably wise).
Good OpSec trumps a million technical features and issues of your platform.
--
The Mailing List for the Devon & Cornwall LUG
https://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq
A Midgley
Nowadays: Property and Photography
-- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq