Thank you for your reply, Fabio. I read the example scenario in that link you provided.
To play devil's advocate, what stops the adversary from testing all available PGP-related vulnerabilities against their targets of interest? In other words, just how much more expensive have you made targeted operations? Or how much more expensive have you made bulk surveillance? It's not clear that this makes it drastically more difficult / costly. Thanks, ~Tomer ----- Original Message ----- From: "Fabio Pietrosanti (naif)" <li...@infosecurity.ch> To: liberationtech@lists.stanford.edu Sent: Monday, June 2, 2014 2:06:16 PM Subject: Re: [liberationtech] Cryptography Leak in Enigmail / GnuPG Il 6/2/14, 6:43 PM, Tomer Altman ha scritto: > > Can you state precisely the threat model that you are concerned about? You are right, the subject is not directly related to "cryptography" but to "security" . The threat model is better described in the ticket that has been opened to various PGP email client's plugin such as http://support.gpgtools.org/discussions/everything/13667-privacy-leak-in-version-and-comment-header . With the fixes that has been done in GnuPG, Enigmail and GPGTool, such software should provide safe default against this issue. It has been also reported that Symantec Encryption Desktop (formerly PGP Desktop) add multiple fingerprint to header leading to information leak. An issue ticket has been opened also for such commercial product. The commercial PGP software add the following headers, at least not adding the exact version number: Received: from XXXXXXX by XXXX-YYYYY (PGP Universal service); Sun, XX XXX 20XX 11:11:11 +0100 X-PGP-Universal: processed; by XX-XXXXX on Sun, XX XXX 20XX 11:11:11 +0100 -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.