As a "user-only" of these tools, I have found the casual attitude around the varying ways in which encryption has been subverted by <insert wealthy government here and see 5 Eyes/14 eyes/locations of US intel stations in MENA, etc> intelligence actors around the world very disturbing. We have processors bugged during delivery intercepts, at least one facility here in the US (if we don't count Google) with enough computing power and resources to pull off decrypting SHA512 without breaking a sweat, etc. etc. - and little information about how pervasive their use of cryptographic hacking technology is. http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
Enigmails plugin is recommended to activists around the world - most recently by ResetTheNet.org https://pack.resetthenet.org/. Though it may be useful to think of rewriting Enigmail code to include an upgrade cryptography solution, I'm not sure why anyone would consider SHA512 up to the task of protecting activists. If the NSA can break 1024 bit encryption, they have almost certainly already hacked SHA512. "Another option is that the NSA has built dedicated hardware capable of factoring 1024-bit numbers. There's quite a lot of RSA-1024 out there, so that would be a fruitful project. So, maybe." https://www.schneier.com/blog/archives/2012/03/can_the_nsa_bre.html I have neither the time nor the energy to go into all the exhaustive articles out there on the NSA's assault, using private corporate partners as well as government facilities, on privacy around the globe. My question for you is: Why would you want to add encryption that is "good enough" to a product that already contains this ability? Why would you NOT want to include the strongest, most secure encryption possible by default? Thank-you for your time and patience with a non-coding, technical support person :) On 6/9/2014 5:45 AM, Suspekt wrote: > Am 09.06.2014 12:18, schrieb Nicolai Josuttis (enigmail): >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> Hi "Suspekt", >> >> thanks for the feedback. >> >> the cryptographic experts warn strongly about using SHA1. >> See for example Minute 31:30 of the following talk (in German): >> >> http://media.ccc.de/browse/congress/2013/30C3_-_5337_-_de_-_saal_2_-_201312271715_-_kryptographie_nach_snowden_-_ruedi.html >> >> >> The essence is "SHA1 is broken". >> See also by the same author >> http://www.cryptolabs.org/hash/WeisCccDsHash05.html >> The author offered the following bet in 2005(!): >> I would prefer to bet for Britney Spears being a virgin >> over the safety of SHA1 >> ;-) >> >> Without being an expert, that's seriously enough >> strong warnings by experts I trust. >> >> Best >> Nico > > OK, let me also throw in some references ;) > > https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html > "A collision attack is therefore well within the range of what an > organized crime syndicate can practically budget by 2018, and a > university research project by 2021." > > So, yes lets switch, but don't panic. I've read on some mailinglist the > nice paraphrase "let's retreat instead of run away". > To clarify this: Using SHA512 as a default is probably a good thing > > > > _______________________________________________ > enigmail-users mailing list > [email protected] > https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net > _______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
