Re: Anybody know details about Schneier's "flaw"?

"Adrian 'Dagurashibanipal' von Bidder" <avbidder@fortytwo.ch> Mon, 19 August 2002 13:01 UTC

Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA00634 for <openpgp-archive@lists.ietf.org>; Mon, 19 Aug 2002 09:01:34 -0400 (EDT)
Received: by above.proper.com (8.11.6/8.11.3) id g7JCsJe23307 for ietf-openpgp-bks; Mon, 19 Aug 2002 05:54:19 -0700 (PDT)
Received: from atlas.acter.ch ([212.126.160.108]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g7JCsIw23303 for <ietf-openpgp@imc.org>; Mon, 19 Aug 2002 05:54:18 -0700 (PDT)
Received: by atlas.acter.ch (Postfix, from userid 1047) id DDC81C3B0; Mon, 19 Aug 2002 14:54:18 +0200 (CEST)
Subject: Re: Anybody know details about Schneier's "flaw"?
From: "Adrian 'Dagurashibanipal' von Bidder" <avbidder@fortytwo.ch>
To: ietf-openpgp@imc.org
In-Reply-To: <200208191129.XAA214939@ruru.cs.auckland.ac.nz>
References: <200208191129.XAA214939@ruru.cs.auckland.ac.nz>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-c6HIAhDluoStiSC+MQqb"
X-Mailer: Ximian Evolution 1.0.8
Date: 19 Aug 2002 14:54:18 +0200
Message-Id: <1029761658.29620.7.camel@atlas>
Mime-Version: 1.0
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Mon, 2002-08-19 at 13:29, Peter Gutmann wrote:
> 
> "Dominikus Scherkl" <Dominikus.Scherkl@glueckkanja.com> writes:
> 
> >The whole attack looks very suspicious to me...
> 
> On the grand scale of things, it has curiosity value, but not much more.  There
[...]

>   As a security threat, I'd say this rates somewhere down with "Router hit by
>   meteorite", "Computer trampled by stampeding water buffalo", "Hard drive
>   kidnapped by space aliens", and similar stuff.
> 
> Sure, it is in theory possible, if you try really, really hard and are willing
> to bend over backwards to cooperate with an attacker, to allow this kind of
> attack to occur.  [...]  You're more likely to get someone's key by asking them

As I've said in my other mail it's really a problem of some mailreaders
being unclear. For example, evolution does not display any indication
that the displayed message was encrypted. (You have to enter the
passphrase the first time you look at an encrypted msg, but I usually
tell it to store the passphrase for the session, causing it to
auto-decrypt any further messages.

In other words: on technical grounds, I absolutely agree with you. BUT
with bad UIs in some mailreaders, and with the experience that users
generally are more stupid than anyone would believe, this type of attack
is very realistic.

Bot, and here I'm sure that your opinion is the same, this discussion is
not really on-topic on a technical mailing list... 

cheers
-- vbi

-- 
secure email with gpg                         http://fortytwo.ch/gpg