PGP unsafe! Email security is unsafe and cannot be easily fixed,researchers say

**Nomen Nescio**

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

**default[_2_]** · #2 May 15th 18, 12:59 PM posted to alt.comp.os.windows-10

On Tue, 15 May 2018 02:24:11 +0200 (CEST), Nomen Nescio
wrote:

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

I hope nospam is paying attention....

https://en.wikipedia.org/wiki/Boundless_Informant

**Doomsdrzej**

On Tue, 15 May 2018 02:24:11 +0200 (CEST), Nomen Nescio
wrote:

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

The last paragraph says it all: PGP itself is safe but the way the
third-party clients decrypt it is not.

**Tim[_10_]**

Doomsdrzej wrote in news:n1jlfddcit6u2j4v62370beu8ipges0tgk@
4ax.com:

On Tue, 15 May 2018 02:24:11 +0200 (CEST), Nomen Nescio
wrote:

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

The last paragraph says it all: PGP itself is safe but the way the
third-party clients decrypt it is not.

I have said it before, and I'll say it again: Until we start at Layer 2 and
build in all the encryption/authentication/verification things we have
learned and developed over the last forty years, and include ways to add
others as they are developed, the Internet will not be universally safe. We
have piecemeal answers for some of the problems, but there is no overall
structure for implementing the things we need today to provide secure
communications.

Personally, I can see a tiered structure. The lowest tier is essentially
the way the Internet is today, You roll the dice and you take your chances.
Good for things like newsletters, bulk mailings, etc, but pretty much
unsecure. The next tier up starts implementing things like white lists,
verified receipt, and other lower level functions to increase security and
reliability. Each tier upwards adds more features such as stronger
encryption, authentication, secure identification, etc. And one will have
the option to add additional tiers for unique requirements above and beyond
ones universally available. Of course, there will be costs associated with
each tier, and it will be up to the individual user whether they will be
willing to pay for those features.

**default[_2_]** · #5 May 15th 18, 02:16 PM posted to alt.comp.os.windows-10

On Tue, 15 May 2018 12:42:18 GMT, Tim wrote:

Doomsdrzej wrote in news:n1jlfddcit6u2j4v62370beu8ipges0tgk@
4ax.com:

On Tue, 15 May 2018 02:24:11 +0200 (CEST), Nomen Nescio
wrote:

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

The last paragraph says it all: PGP itself is safe but the way the
third-party clients decrypt it is not.

I have said it before, and I'll say it again: Until we start at Layer 2 and
build in all the encryption/authentication/verification things we have
learned and developed over the last forty years, and include ways to add
others as they are developed, the Internet will not be universally safe. We
have piecemeal answers for some of the problems, but there is no overall
structure for implementing the things we need today to provide secure
communications.

Personally, I can see a tiered structure. The lowest tier is essentially
the way the Internet is today, You roll the dice and you take your chances.
Good for things like newsletters, bulk mailings, etc, but pretty much
unsecure. The next tier up starts implementing things like white lists,
verified receipt, and other lower level functions to increase security and
reliability. Each tier upwards adds more features such as stronger
encryption, authentication, secure identification, etc. And one will have
the option to add additional tiers for unique requirements above and beyond
ones universally available. Of course, there will be costs associated with
each tier, and it will be up to the individual user whether they will be
willing to pay for those features.

I hear you.

I went to a local lawyer to have a simple power of attorney drawn up.
They email me the thing for approval/modification. I questioned their
use of email for this, to find out "that's how we do it..."

So I start poking around and figure out how to call up the header
fields, to find out they don't even have their own domain, but their
domain and email is held on Yahoo servers.

The problem is huge, the perception is minuscule.

**Doomsdrzej** · #6 May 15th 18, 04:26 PM posted to alt.comp.os.windows-10

On Tue, 15 May 2018 09:16:44 -0400, default
wrote:

On Tue, 15 May 2018 12:42:18 GMT, Tim wrote:

Doomsdrzej wrote in news:n1jlfddcit6u2j4v62370beu8ipges0tgk@
4ax.com:

On Tue, 15 May 2018 02:24:11 +0200 (CEST), Nomen Nescio
wrote:

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

The last paragraph says it all: PGP itself is safe but the way the
third-party clients decrypt it is not.

I have said it before, and I'll say it again: Until we start at Layer 2 and
build in all the encryption/authentication/verification things we have
learned and developed over the last forty years, and include ways to add
others as they are developed, the Internet will not be universally safe. We
have piecemeal answers for some of the problems, but there is no overall
structure for implementing the things we need today to provide secure
communications.

Personally, I can see a tiered structure. The lowest tier is essentially
the way the Internet is today, You roll the dice and you take your chances.
Good for things like newsletters, bulk mailings, etc, but pretty much
unsecure. The next tier up starts implementing things like white lists,
verified receipt, and other lower level functions to increase security and
reliability. Each tier upwards adds more features such as stronger
encryption, authentication, secure identification, etc. And one will have
the option to add additional tiers for unique requirements above and beyond
ones universally available. Of course, there will be costs associated with
each tier, and it will be up to the individual user whether they will be
willing to pay for those features.

I hear you.

I went to a local lawyer to have a simple power of attorney drawn up.
They email me the thing for approval/modification. I questioned their
use of email for this, to find out "that's how we do it..."

So I start poking around and figure out how to call up the header
fields, to find out they don't even have their own domain, but their
domain and email is held on Yahoo servers.

The problem is huge, the perception is minuscule.

And as we know, Yahoo is synonymous with prosperity and security,
*especially* since they put a woman at the helm.

**default[_2_]** · #7 May 15th 18, 04:58 PM posted to alt.comp.os.windows-10

On Tue, 15 May 2018 11:26:31 -0400, Doomsdrzej wrote:

On Tue, 15 May 2018 09:16:44 -0400, default
wrote:

On Tue, 15 May 2018 12:42:18 GMT, Tim wrote:

Doomsdrzej wrote in news:n1jlfddcit6u2j4v62370beu8ipges0tgk@
4ax.com:

On Tue, 15 May 2018 02:24:11 +0200 (CEST), Nomen Nescio
wrote:

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

The last paragraph says it all: PGP itself is safe but the way the
third-party clients decrypt it is not.

I have said it before, and I'll say it again: Until we start at Layer 2 and
build in all the encryption/authentication/verification things we have
learned and developed over the last forty years, and include ways to add
others as they are developed, the Internet will not be universally safe. We
have piecemeal answers for some of the problems, but there is no overall
structure for implementing the things we need today to provide secure
communications.

Personally, I can see a tiered structure. The lowest tier is essentially
the way the Internet is today, You roll the dice and you take your chances.
Good for things like newsletters, bulk mailings, etc, but pretty much
unsecure. The next tier up starts implementing things like white lists,
verified receipt, and other lower level functions to increase security and
reliability. Each tier upwards adds more features such as stronger
encryption, authentication, secure identification, etc. And one will have
the option to add additional tiers for unique requirements above and beyond
ones universally available. Of course, there will be costs associated with
each tier, and it will be up to the individual user whether they will be
willing to pay for those features.

I hear you.

I went to a local lawyer to have a simple power of attorney drawn up.
They email me the thing for approval/modification. I questioned their
use of email for this, to find out "that's how we do it..."

So I start poking around and figure out how to call up the header
fields, to find out they don't even have their own domain, but their
domain and email is held on Yahoo servers.

The problem is huge, the perception is minuscule.

And as we know, Yahoo is synonymous with prosperity and security,
*especially* since they put a woman at the helm.

Do you really think that the CEO's of companies understand the
business of the companies they manage? They only understand profit;
let me restate that: they only understand PROFIT!!!

Not the solvency of the company, not the long term viability of the
company, not who they hurt or what they do, just the instantaneous
peak dollar amount of the stock price. That is all that matters.

Being female has nothing to do with it, greed and short-sighted
stupidity affects women as well as men.

**Char Jackson** · #8 May 15th 18, 04:28 PM posted to alt.comp.os.windows-10

On Tue, 15 May 2018 09:16:44 -0400, default
wrote:

On Tue, 15 May 2018 12:42:18 GMT, Tim wrote:

Doomsdrzej wrote in news:n1jlfddcit6u2j4v62370beu8ipges0tgk@
4ax.com:

On Tue, 15 May 2018 02:24:11 +0200 (CEST), Nomen Nescio
wrote:

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

The last paragraph says it all: PGP itself is safe but the way the
third-party clients decrypt it is not.

I have said it before, and I'll say it again: Until we start at Layer 2 and
build in all the encryption/authentication/verification things we have
learned and developed over the last forty years, and include ways to add
others as they are developed, the Internet will not be universally safe. We
have piecemeal answers for some of the problems, but there is no overall
structure for implementing the things we need today to provide secure
communications.

Personally, I can see a tiered structure. The lowest tier is essentially
the way the Internet is today, You roll the dice and you take your chances.
Good for things like newsletters, bulk mailings, etc, but pretty much
unsecure. The next tier up starts implementing things like white lists,
verified receipt, and other lower level functions to increase security and
reliability. Each tier upwards adds more features such as stronger
encryption, authentication, secure identification, etc. And one will have
the option to add additional tiers for unique requirements above and beyond
ones universally available. Of course, there will be costs associated with
each tier, and it will be up to the individual user whether they will be
willing to pay for those features.

I hear you.

I went to a local lawyer to have a simple power of attorney drawn up.
They email me the thing for approval/modification. I questioned their
use of email for this, to find out "that's how we do it..."

So I start poking around and figure out how to call up the header
fields, to find out they don't even have their own domain, but their
domain and email is held on Yahoo servers.

The problem is huge, the perception is minuscule.

I recently bought a European SIM card for a family member who'll be
traveling there soon from the States. Among other things, you have to
provide the traveler's full name, birthday, passport number, and more.

The company offered several methods to get the thing activated, but they
stressed that email was their preferred method. You guessed it, they had
an @gmail.com address! Seriously? You just have to wonder.

**nospam** · #9 May 15th 18, 07:24 PM posted to alt.comp.os.windows-10

In article , Char Jackson
wrote:

I recently bought a European SIM card for a family member who'll be
traveling there soon from the States. Among other things, you have to
provide the traveler's full name, birthday, passport number, and more.

that's not unusual.

The company offered several methods to get the thing activated, but they
stressed that email was their preferred method. You guessed it, they had
an @gmail.com address! Seriously? You just have to wonder.

not really.

they were probably using gsuite, which is *very* secu
https://gsuite.google.com/faq/security/

**Doomsdrzej** · #10 May 15th 18, 02:30 PM posted to alt.comp.os.windows-10

On Tue, 15 May 2018 12:42:18 GMT, Tim wrote:

Doomsdrzej wrote in news:n1jlfddcit6u2j4v62370beu8ipges0tgk@
4ax.com:

On Tue, 15 May 2018 02:24:11 +0200 (CEST), Nomen Nescio
wrote:

https://www.independent.co.uk/life-style/gadgets-and-
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-
working-fix-how-to-a8351116.html

The last paragraph says it all: PGP itself is safe but the way the
third-party clients decrypt it is not.

I have said it before, and I'll say it again: Until we start at Layer 2 and
build in all the encryption/authentication/verification things we have
learned and developed over the last forty years, and include ways to add
others as they are developed, the Internet will not be universally safe. We
have piecemeal answers for some of the problems, but there is no overall
structure for implementing the things we need today to provide secure
communications.

ARPANet was designed to be secure through its obscurity as far as I
can tell. When it was released to the public, nobody seemed to foresee
how things would need to be secured any further than with a username
and password from what I can tell.

Personally, I can see a tiered structure. The lowest tier is essentially
the way the Internet is today, You roll the dice and you take your chances.
Good for things like newsletters, bulk mailings, etc, but pretty much
unsecure. The next tier up starts implementing things like white lists,
verified receipt, and other lower level functions to increase security and
reliability. Each tier upwards adds more features such as stronger
encryption, authentication, secure identification, etc. And one will have
the option to add additional tiers for unique requirements above and beyond
ones universally available. Of course, there will be costs associated with
each tier, and it will be up to the individual user whether they will be
willing to pay for those features.

I think that's a good idea.You're doing with security what the
government did with highways here in Quebec. You can usie the public
system and get to your destination but you'll sit in traffic or you
can pay to use the 25 and avoid congestion. I can see such a system
working with security as well since there are always people who think
that sitting in traffic for an hour is better than just paying a $3
toll.

**Mr. Man-wai Chang**

https://www.independent.co.uk/life-style/gadgets-an
tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-working-fix-how-to-a8351116.html

--
@~@ Remain silent! Drink, Blink, Stretch! Live long and prosper!!
/ v \ Simplicity is Beauty!
/( _ )\ May the Force and farces be with you!
^ ^ (x86_64 Ubuntu 9.10) Linux 2.6.39.3
ä¸å€Ÿè²¸! ä¸è©é¨™! ä¸è³*éŒ¢! ä¸æ´äº¤! ä¸æ‰“äº¤! ä¸æ‰“åŠ«! ä¸è‡ªæ®º! ä¸æ±‚ç¥ž! è«‹è€ƒæ…®ç¶œæ´
(CSSA):
http://www.swd.gov.hk/tc/index/site_...sub_addressesa

**Mr. Man-wai Chang**

https://www.independent.co.uk/life-style/gadgets-and-tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-working-fix-how-to-a8351116.html

--
@~@ Remain silent! Drink, Blink, Stretch! Live long and prosper!!
/ v \ Simplicity is Beauty!
/( _ )\ May the Force and farces be with you!
^ ^ (x86_64 Ubuntu 9.10) Linux 2.6.39.3
ä¸å€Ÿè²¸! ä¸è©é¨™! ä¸è³*éŒ¢! ä¸æ´äº¤! ä¸æ‰“äº¤! ä¸æ‰“åŠ«! ä¸è‡ªæ®º! ä¸æ±‚ç¥ž! è«‹è€ƒæ…®ç¶œæ´
(CSSA):
http://www.swd.gov.hk/tc/index/site_...sub_addressesa

**Anonymous**

Mr. Man-wai Chang was thinking very hard :
https://www.independent.co.uk/life-style/gadgets-and-tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-working-fix-how-to-a8351116.html

it would be nice if this guy could figure out how to correctly reply to
a post instead of littering up the news group with unthreaded replies

**Nomen Nescio**

Anonymous wrote:

Mr. Man-wai Chang was thinking very hard :
https://www.independent.co.uk/life-style/gadgets-and-tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-working-fix-how-to-a8351116.html

it would be nice if this guy could figure out how to correctly reply to
a post instead of littering up the news group with unthreaded replies

| Injection-Info: toylet.eternal-september.org

says it all.

**David**

In article
Anonymous wrote:

Mr. Man-wai Chang was thinking very hard :
https://www.independent.co.uk/life-style/gadgets-and-tech/news/email-security-s-mime-pgp-encryption-latest-broken-not-working-fix-how-to-a8351116.html

it would be nice if this guy could figure out how to correctly reply to
a post instead of littering up the news group with unthreaded replies

No whining on Usenet.

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode	Rate This Thread: