On Wed, 7 Jul 1999, Steven M. Bellovin wrote:
> >Self-Decrypting Archives. You may now encrypt files or folders into
> >Self-Decrypting Archives (SDA) which can be used by users who do not even
> >have PGP. The archives are completely independent of any application,
> >compressed and protected by PGP's strong cryptography.
>
> I'm glad this was on bugtraq -- any crypto product with "self-decrypting
> archives" is a serious security threat, at least for the other versions I've
> seen. They involve an executable that does *something* -- but what? The
> world has recently learned what I hope the folks on this list have long
> known -- that you can't trust email with executable content.
For what it is worth, I'd consider an SDA to have one specific benefit in
a data storage situation: if recovery of the data is needed in an
emergency, or at a time in the future when locating the encryption
software is difficult, the chances are much better that you'll be able to
get the data unpacked. (You can accomplish something similar by storing a
copy of the PGP executable near the data.)
However, for data communications, I'd agree that SDAs are just tempting
fate. They might be used successfully in some particular situations
(transmission over of data & executable over channels that can be snooped
but not modified) but seem to be tempting fate.
--
Kenneth Albanowski ([EMAIL PROTECTED], CIS: 70705,126)
