At 01:14 PM 4/6/1999 -0700, Jim Gillogly wrote:
>Michael Paul Johnson wrote:
>>> Of course this is dangerous, but there is a demand for it. Not everyone
>>> wants bomb-proof security. ... The real cure, of course, is to so
>>> tightly and easily integrate security into email that it is as easy
>>> as this to use, but not as risky.
>
>Steven M. Bellovin responded:
>> There's bomb-proof security, and there's "security" that itself is a time
>> bomb. I fear that self-extracting decryptors are much closer to
>> the latter than to the former -- very much closer.
>
>I agree with Steve about this part. These programs are much like
>the active email bogosities, which should never be allowed to
>operate without the user's informed consent -- and I don't regard
>accepting Windows defaults as constituting informed consent. But
>supplying weak cryptography to people even with caveats can give
>them a fatally false sense of security. If they could tell at a
>glance that their communications were weak, they might use them
>more safely.
Of course. This problem can be solved by providing the recipient with a
"real" security program instead of a "self-decrypting" executable, then
sending the encrypted data separately. Of course, this is also subject to
the very same active attack. The attacker merely forges a message from you,
offering an upgrade to the "real" security program that sereptitiously also
mails the password(s) and/or plaintext back to him, and hopes that the
recipient doesn't notice the lack of a digital signature.
_______
Michael Paul Johnson
http://ebible.org/mpj
