[Cryptography] any reviews of flowcrypt PGP for gmail?
Stephan Neuhaus
stephan.neuhaus at zhaw.ch
Wed Aug 26 04:50:04 EDT 2020
On 8/26/20 8:31 AM, Peter Gutmann wrote:
> A contributing factor to this is that you've got an encrypted SMS app that
> requires 161MB of code (three times the size of a complete Windows 95
> install), with a neverending stream of updates that don't seem to update
> anything. If you wanted to push out a malicious update there's every
> opportunity to do so, and plenty of space to hide it in. What's in that
> hundred-and-sixty-megabytes of gunk, and what do the neverending updates
> update?
Absolutely. I guess (but don't know, since 161 MiB are hard to verify)
that if you pared Signal down to "just the encrypted SMS, Ma'am", you
could do with much less, but that would then appeal only to geeks. And
if you want to go for a broader audience, you'll have to include
features that have nothing to do with secure messages, but exist only to
forestall arguments like "I won't use Signal because it doesn't do
<irrelevant feature>". For example, I can well imagine that some of the
gunk comes from UI frameworks that exist only to make Signal look like
other messengers, which in turn is important so that non-geek people can
view Signal as a drop-in replacement for those other messengers.
That's a deliberate decision by Signal, and I for one applaud them for
at least trying. I honestly don't want another geek-only tool that only
geeks use. Of course you may have a different opinion when your
requirements are different. If I were a dissident, I would probably not
use Signal.
As for what the frequent updates update, I just don't know. When I do a
git pull every month or so, I can always see many many changes. It seems
to me that entire Java package hierarchies disappear, new ones appear,
and there is much code churn. If this is correct, it would indicate that
these aren't just bug fixes, but that the overall internal structure of
the app is still very much in flux. I have no idea whether that is a
good thing or not.
Fun
Stephan
PS: A complete OS/9-68k install took 2 1.44 MiB diskettes in 1993, if I
remember correctly. I'm not sure what a comparison of 25-year-old
installs with contemporary ones can meaningfully achieve, except of
course prove that one is getting progressively older :-)
More information about the cryptography
mailing list