[Cryptography] any reviews of flowcrypt PGP for gmail?

Henry Baker hbaker1 at pipeline.com
Tue Aug 25 13:20:11 EDT 2020

At 03:39 AM 8/25/2020, Stephan Neuhaus wrote:
>On 8/24/20 6:38 PM, Phillip Hallam-Baker wrote:
>>Telegram and Signal have the same issue with the possibility of downloading
>>a poisoned update. Signal in particular demands weekly updates.
>And if it doesn't get them (for example if, like me, you don't have a Google account and compile Signal from source[1]), it will run for about a month (I didn't check the exact period). And then it will count down about 10 days before it gives up the ghost. So the "demands weekly" update is in fact more of a "must-have monthly" update.
>I have sympathy for the Signal developers. If there is a flaw in the software, they need to push updates, and push them fast. On the other hand, this makes it possible, under certain circumstances, to quickly push poisoned updates to targeted users. There is no good middle ground if you don't want to market yourself as a niche product. You're screwed either way.
>[1] Before anyone jumps on this: I'm not doing this because I want to, but because precompiled versions of Signal are available on the official app stores only, and not, say, via F-Droid.

Perhaps I'm being paranoid, but why does Signal *require* some of the Android permissions it seeks?

I'd rather have a version of Signal that *doesn't* use SMS, but depends only upon standard internet protocols routed through Tor.

I fully expect to wake up some morning and read about the NSA being behind yet another Swiss company -- in this case Silent Circle.

jes sayin' ...

More information about the cryptography mailing list