[Cryptography] any reviews of flowcrypt PGP for gmail?
Stephan Neuhaus
stephan.neuhaus at zhaw.ch
Tue Aug 25 06:39:21 EDT 2020
On 8/24/20 6:38 PM, Phillip Hallam-Baker wrote:
> Telegram and Signal have the same issue with the possibility of downloading
> a poisoned update. Signal in particular demands weekly updates.
And if it doesn't get them (for example if, like me, you don't have a
Google account and compile Signal from source[1]), it will run for about
a month (I didn't check the exact period). And then it will count down
about 10 days before it gives up the ghost. So the "demands weekly"
update is in fact more of a "must-have monthly" update.
I have sympathy for the Signal developers. If there is a flaw in the
software, they need to push updates, and push them fast. On the other
hand, this makes it possible, under certain circumstances, to quickly
push poisoned updates to targeted users. There is no good middle ground
if you don't want to market yourself as a niche product. You're screwed
either way.
Fun
Stephan
[1] Before anyone jumps on this: I'm not doing this because I want to,
but because precompiled versions of Signal are available on the official
app stores only, and not, say, via F-Droid.
More information about the cryptography
mailing list