[Cryptography] any reviews of flowcrypt PGP for gmail?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Aug 26 02:31:54 EDT 2020
Stephan Neuhaus <stephan.neuhaus at zhaw.ch> writes:
>I have sympathy for the Signal developers. If there is a flaw in the
>software, they need to push updates, and push them fast. On the other hand,
>this makes it possible, under certain circumstances, to quickly push poisoned
>updates to targeted users.
A contributing factor to this is that you've got an encrypted SMS app that
requires 161MB of code (three times the size of a complete Windows 95
install), with a neverending stream of updates that don't seem to update
anything. If you wanted to push out a malicious update there's every
opportunity to do so, and plenty of space to hide it in. What's in that
hundred-and-sixty-megabytes of gunk, and what do the neverending updates
update?
Peter.
More information about the cryptography
mailing list