undefined | Better HN

0 pointsupofadown6y ago0 comments

My best guess is that they really meant EFAIL but didn't want to actually mention it because EFAIL had nothing to do with any weakness in the OpenPGP standard or the GnuPG implementation. Instead it was a HTML email horror story where someone figured out how to forward entire decrypted messages using image links.

So just more pointless anti-PGP innuendo...

0 comments

3 comments · 1 top-level

tptacek6y ago· 2 in thread

That is not in fact a good description of EFail, which was indeed caused by a failure both of the PGP protocol and of GPG, its reference implementation.

upofadownOP6y ago

>...a failure both of the PGP protocol ...

No. There were some changes in the actual protocol document that came out of EFAIL but no actual changes to the protocol other than a depreciation that was happening anyway.

>...and of GPG, ...

This also seems to be false. GPG didn't have to change anything as the result of EFAIL...

>...its reference implementation.

Also false. OpenPGP does not have a reference implementation.

tptacek6y ago

There were no changes in TLS after Bleichenbacher '98; instead, implementations just incorporated increasingly hacky workarounds. The PGP post upthread details the problems with the MDC, and the compounding implementation flaw in GPG that released unauthenticated plaintext to callers.

That MDC-era PGP remains the global standard, and that GPG continues to release unauthenticated plaintext to callers, just calls out further the impossibly compromised position PGP-based cryptosystems are in. You can try to do things like Sequoia that modernize PGP, but nobody in the installed base will be compatible with you, and the most popular and important "driver" of the protocol (again, GPG) is disinterested in mitigating the flaws of legacy PGP.

You can choose not to call GPG the PGP reference implementation, and there's no formal declaration anywhere saying that, but, it obviously is.

1 more reply

j / k navigate · click thread line to collapse