[Cryptography] any reviews of flowcrypt PGP for gmail?

Stephan Neuhaus stephan.neuhaus at zhaw.ch
Tue Aug 25 06:39:21 EDT 2020

On 8/24/20 6:38 PM, Phillip Hallam-Baker wrote:
> Telegram and Signal have the same issue with the possibility of downloading
> a poisoned update. Signal in particular demands weekly updates.

And if it doesn't get them (for example if, like me, you don't have a 
Google account and compile Signal from source[1]), it will run for about 
a month (I didn't check the exact period). And then it will count down 
about 10 days before it gives up the ghost. So the "demands weekly" 
update is in fact more of a "must-have monthly" update.

I have sympathy for the Signal developers. If there is a flaw in the 
software, they need to push updates, and push them fast. On the other 
hand, this makes it possible, under certain circumstances, to quickly 
push poisoned updates to targeted users. There is no good middle ground 
if you don't want to market yourself as a niche product. You're screwed 
either way.



[1] Before anyone jumps on this: I'm not doing this because I want to, 
but because precompiled versions of Signal are available on the official 
app stores only, and not, say, via F-Droid.

More information about the cryptography mailing list