[Cryptography] any reviews of flowcrypt PGP for gmail?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Aug 26 02:31:54 EDT 2020

Stephan Neuhaus <stephan.neuhaus at zhaw.ch> writes:

>I have sympathy for the Signal developers. If there is a flaw in the
>software, they need to push updates, and push them fast. On the other hand,
>this makes it possible, under certain circumstances, to quickly push poisoned
>updates to targeted users.

A contributing factor to this is that you've got an encrypted SMS app that
requires 161MB of code (three times the size of a complete Windows 95
install), with a neverending stream of updates that don't seem to update
anything.  If you wanted to push out a malicious update there's every
opportunity to do so, and plenty of space to hide it in.  What's in that
hundred-and-sixty-megabytes of gunk, and what do the neverending updates


More information about the cryptography mailing list