D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] gpg security flaw

 

On 19/05/18 10:47, Simon Waters wrote:
> I wouldn't recommend Signal for desktop, as the Desktop clients that are
> available are based on the Electron Framework which is a mess, on Windows
> it has had multiple issues that escalate XSS to remote code execution (and
> I doubt the other platforms are much better). Although you can probably
> virtualise that risk away if it is the best choice for you.

Unfortunately I've very recently had to start using Telegram and Signal
to keep up with various clients and friends abroad who like living
dangerously and aren't quite as keen on diligent security practices as I
am (could be worse I suppose - Discord and Slack for example). I keep
them both compartmentalised well away from my main system via docker and
destroy/re-deploy them fresh every time I need them, even if that means
the extra hassle of quickly redoing initial setup each time. I shrugged
my way through the recent round of desktop electron client
vulnerabilities as per usual because:

> Good OpSec trumps a million technical features and issues of your platform.

A thousand times this. Just think safely and play it conservative - it's
not so much what you're doing that's important, it's _how_ you do it.
The same with the PGP issues: there are some underlying technical flaws
that definitely need fixing up but seriously, in the Venn diagram of
"people using PGP" and "people allowing MUAs to load remote content,
automatically decrypt, retain passphrases and render HTML" just what
kind of throw-caution-and-common-sense-to-the-wind nutter would you need
to be to find yourself in the intersection? Obviously, some people do
fit that bill and of course they don't deserve to be hacked but
sometimes you do have to put in just a modicum of effort to do things
right. Or at least less bad than 99% of the rest of the population. Just
a bit of common sense OpSec will do wonders for anyone.

Cheers


-- 
The Mailing List for the Devon & Cornwall LUG
https://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq