[Cryptography] any reviews of flowcrypt PGP for gmail?

Stephan Neuhaus stephan.neuhaus at zhaw.ch
Wed Aug 26 04:50:04 EDT 2020

On 8/26/20 8:31 AM, Peter Gutmann wrote:
> A contributing factor to this is that you've got an encrypted SMS app that
> requires 161MB of code (three times the size of a complete Windows 95
> install), with a neverending stream of updates that don't seem to update
> anything.  If you wanted to push out a malicious update there's every
> opportunity to do so, and plenty of space to hide it in.  What's in that
> hundred-and-sixty-megabytes of gunk, and what do the neverending updates
> update?

Absolutely. I guess (but don't know, since 161 MiB are hard to verify) 
that if you pared Signal down to "just the encrypted SMS, Ma'am", you 
could do with much less, but that would then appeal only to geeks. And 
if you want to go for a broader audience, you'll have to include 
features that have nothing to do with secure messages, but exist only to 
forestall arguments like "I won't use Signal because it doesn't do 
<irrelevant feature>". For example, I can well imagine that some of the 
gunk comes from UI frameworks that exist only to make Signal look like 
other messengers, which in turn is important so that non-geek people can 
view Signal as a drop-in replacement for those other messengers.

That's a deliberate decision by Signal, and I for one applaud them for 
at least trying. I honestly don't want another geek-only tool that only 
geeks use.  Of course you may have a different opinion when your 
requirements are different.  If I were a dissident, I would probably not 
use Signal.

As for what the frequent updates update, I just don't know. When I do a 
git pull every month or so, I can always see many many changes. It seems 
to me that entire Java package hierarchies disappear, new ones appear, 
and there is much code churn. If this is correct, it would indicate that 
these aren't just bug fixes, but that the overall internal structure of 
the app is still very much in flux. I have no idea whether that is a 
good thing or not.



PS: A complete OS/9-68k install took 2 1.44 MiB diskettes in 1993, if I 
remember correctly. I'm not sure what a comparison of 25-year-old 
installs with contemporary ones can meaningfully achieve, except of 
course prove that one is getting progressively older :-)

More information about the cryptography mailing list