[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Eion MacDonald via list wrote: > > I normally only use Enigmail/Thunderbird for signing, as > secure messages now down via protonmail.ch if possible. > But even signing seems effected to attach. Hanno notes that the recent Thunderbird release to fix the HTML image link flaw is an incomplete fix. Stop fetching non-local content in HTML emails by default (if you ever did), stops this whole class of issues. The cryptographic weaknesses and flaws with PGP remain, some of these you can mitigate with good choice of software and settings, some are inherent to PGP model (no forward security). Although even there you can rotate keys frequently to achieve a similar effect of hiding identity and minimising risk from later key compromise (nothing like stopping using a secret key, and burning the platforms it was on, to avoid having it compromised). > However "Signal" is based on ownership of a 'smartphone' (Android etc). > So us older users who only use 2G phone/SMS phones cannot use Signal on > desktop as "Signal" system is tied to a smartphone contact list. I wouldn't recommend Signal for desktop, as the Desktop clients that are available are based on the Electron Framework which is a mess, on Windows it has had multiple issues that escalate XSS to remote code execution (and I doubt the other platforms are much better). Although you can probably virtualise that risk away if it is the best choice for you. It is not enough to have strong cryptography it also has to be implemented well, and deployed intelligently. The EFF has discontinued their secure messaging Score card with a "think about what you need" message (probably wise). Good OpSec trumps a million technical features and issues of your platform. -- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq