Post by VITRIOLPost by pinocmq mica volevo affossare il meraviglioso PGP/GPG, neh
Era solo per specificare :-)
Ovvio che l'articolo è di parte, ma mi sembrava abbastanza chiaro. La
vulnerabilità non è nel sistema crittografico in sè, ma al limite nel
software che lo implementa. Ed è un difetto facilmente correggibile.
Chi è interessato, leggendo [il mio linkato] già capisce qui:
{cut}
Post by VITRIOLWhat's Being Done to Fix this Vulnerability
It’s possible to fix the specific exploits that allow messages to be
exfiltrated: namely, do better than the standard says by not rendering
messages if their integrity checks don’t check out. Updating the protocol and
patching vulnerable software applications would address this specific issue.
{cut}
Post by VITRIOLPGP usage was always complicated and error-prone; with this new vulnerability,
it is currently almost impossible to give simple, reliable instructions on how
to use it with modern email clients.
{cut}
Post by VITRIOLWe Need To Be Better Than Pretty Good
The flaw that the researchers exploited in PGP was known for many years as a
theoretical weakness in the standard—one of many initially minor problems with
PGP that have grown in significance over its long life.
{cut}
Post by VITRIOLMany will use today’s revelations as an opportunity to highlight PGP’s
numerous issues with usability and complexity, and demand better.
{¢ut}
Post by VITRIOLWe’re taking this latest announcement as a wake-up call to everyone in the
infosec and digital rights communities: not to pile on recriminations or
criticisms of PGP and its dedicated, tireless, and largely unfunded developers
and supporters, but to unite and work together to re-forge what it means to be
the best privacy tool for the 21st century.
{cut}
cioè nell'articolo non si parla mai di problemi di sicurezza nella crittatura
di PGP/GPG ma di problemi di sicurezza (*già noti da tempo ma sottovalutati*)
nei SW che implementano PGP/GPG.
Poi, essendo EFF, invece di fare sviolinate a Protonmail (che pure io uso),
consigliano altro:
{cut}
Post by VITRIOLEFF’s recommendations: Disable or uninstall PGP email plugins for now. Do not
decrypt encrypted PGP messages that you receive. Instead, use non-email based
messaging platforms, like Signal, for your encrypted messaging needs. Use
offline tools to decrypt PGP messages you have received in the past. Check for
updates at our Surveillance Self-Defense site regarding client updates and
improved secure messaging systems.
TLDR: ho scritto un subject allarmante e fuorviante ma ti ringrazio per il link
che hai aggiunto