Differences

This shows you the differences between two versions of the page.

--- pgpfan:tpp [2022/08/21 12:33] – "would of" b.walzer
+++ pgpfan:tpp [2024/05/02 13:39] (current) – We have a reference now b.walzer
@@ Line 111: / Line 111: @@
 >Even if you do, the new SEIP packet format is close enough to the insecure SE format that you can potentially trick readers into downgrading; ...
-We have a problem here. The juxtaposition of the non sequitur about chopping off the last 22 bytes makes it seem that that is all that is required to downgrade the MDC. Some digging reveals that this is actually quite difficult and has a very low chance of success((Discussion:[[https://github.com/google/end-to-end/issues/161|No warning on decrypting Tag 9 (no integrity protection) packets]], Exploit code:[[https://gist.github.com/coruus/85dea6eb82897044f65d]])). We can be charitable here and assume that the author simply did not do any research but this is very misleading.
+We have a problem here. The juxtaposition of the non sequitur about chopping off the last 22 bytes makes it seem that that is all that is required to downgrade the MDC. Some digging reveals that this is actually quite difficult and has a very low chance of success(1 out of 65536)((Discussion:[[https://github.com/google/end-to-end/issues/161|No warning on decrypting Tag 9 (no integrity protection) packets]], Exploit code:[[https://gist.github.com/coruus/85dea6eb82897044f65d]])). This still leaves the message damaged enough that most implementations will simply blow up with an error. These ideas about the MDC seem to have come from a particularly hard to follow section of the EFAIL paper(([[pgpfan:legends|Misleading Legends Caused by EFAIL]])).
 >Trevor Perrin worked the SEIP out to 16 whole bits of security.
@@ Line 164: / Line 164: @@
 | Messages Saved on Phone   | Revealed  | Protected        |
-So the encrypted email actually ends up providing a better result for the user. That is because it is possible to lock up the encryption key more securely in practice with an offline medium than it is with an online, always available, medium like instant messaging. It seems possible that people don't bother with forward secrecy for email because they perceive it to be secure enough already. Forward secrecy might not be worth the extra effort for that particular medium.
+So the encrypted email actually ends up providing a better result for the user. That is because it is possible to lock up the secret key material more securely in practice with an offline medium than it is with an online, always available, medium like instant messaging. It seems possible that people don't bother with forward secrecy for email because they perceive it to be secure enough already. Forward secrecy might not be worth the extra effort for that particular medium.
 Please see the [[pgpfan:forward_secrecy|forward secrecy]] article for a somewhat more extensive discussion.