Suggestions to Thunderbird users
I haven't tested this myself but from a quick check with someone who uses Thunderbird they couldn't verify this claim. Maybe this just happens on some versions? Either way I wouldn't assume it's intended behavior. Other than an annoying inability to turn off "by default" attachment of public key and signing each encrypted message, I did not notice this behaviour. Thunderbird is by far the best openPGP cross-platform mail-client application around. However, my suggestion to Thunderbird mail encryption users is to avoid any "gnupg integration". In particular: - If you really need to import some gnupg generated keys into Thunderbird, clean them of any WOT crud first and treat that as a one-way, one-time copy/transfer. Much better approach is to consider the public/private key pair as an e-mail address/application specific item, generated directly in, and used only by Thunderbird. - Devise you own method of getting public keys into the hands of your correspondents and of their authentication and termination. - Even if you use a mail attachment to initially send public key to a correspondent, remember to turn off default "attach key" for all subsequent messages. Likewise, do not sign messages by default, but only when there is a good reason to do so. - If at all possible, do not depend on Thunderbird to protect your private key; instead, place your complete mail profile directory hierarchy in an encrypted container. With the above, and due to its popularity, Thunderbird has a reasonable chance to increase that minuscule fraction of encrypted e-mails. ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: pgp263iamulti06
from r...@sixdemonbag.org...: ... I wouldn't say "almost definitely" the way I do for DOS, but I'd still say I'd find it a disturbing possibility I'd want to investigate and rule out before I used PGP 2.6.3 in a UNIX environment. Thank you very much for your comments. Would you be able to suggest the version to use in "portable" mode? (a) under Linux? (b) under Windows? tia, PetRoh ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: pgp263iamulti06
from r...@sixdemonbag.org...: The CSPRNG is almost certainly broken. Thank you! When generating the key-pair with Re: pgp263iamulti06, the "randomness" is obtained by user's keyboard input. Is it then that the above applies only when the session key is generated? PGP 2.6.3 was a DOS program,... And Linux. (Apple too - remember compiling it on Mac when the command-line build tools were still available). So is the same (i.e., a problematic source of randomness when generating the session key) likely to be the case compiling/running 2.6.3iamulti06 under Linux today? PetRoh ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
pgp263iamulti06
I know those that still use pgp263iamulti06 [*] from removable media, without "installation". Are there known, documented security deficiencies in it? Any better alternative for those that need to use pgp/gpg in "portable" mode? --- * archive file pgp263iamulti06.zip, sha256sm: 35c39ed613a82c9aaf6463ef8c9a25d97cde592912fd3d6bd7efac2074cd783f ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
