___Viper___ _ <[EMAIL PROTECTED]> wrote:
> "Having the option" never hurt anyone. You can produce SDAs, and use
> them if you wish, AND you can NOT open executables that arrived in
> your mailbox and you don't trust.
In this particular case, it's even sillier than usual.
There's now an active attack against symmetric passphrases. I can
fiddle with an SDA in transit so that it does its job normally and also
emails me the passphrase that successfully decrypted the archive.
So basically it's `protected by PGP's strong cryptography' which is
entirely wasted by a brain-damaged idea that some marketroid probably
thought would look kewl with a tick in the box next to it.
And that's without Steven Bellovin's completely legitimate concerns
about `executable content' in general: rich computing experiences and
all that.
Duh.
> It's madness to say that it is a "security threat". With your logic,
> e-mailing is a security threat as well ;-) Who knows what you can send
> over e-mail !
Quite so. I make sure that my mail reader won't do anything with a
message other than display it in a text window until I've had a chance
to examine it and decide what should happen next.
Executable email messages are one of the worst ideas I've ever heard
of. And that's saying something.
[Thanks to Clive Jones, who came up with the attack above.]
-- [mdw]
