[4453] in cryptography@c2.net mail archive
Re: PGP 6.5/PGPnet Announcement!
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Apr 6 15:27:20 1999
To: Michael Paul Johnson <mpj@ebible.org>
Cc: cryptography@c2.net
Date: Tue, 06 Apr 1999 14:44:21 -0400
From: "Steven M. Bellovin" <smb@research.att.com>
In message <4.1.19990406112715.00a50300@ebible.org>, Michael Paul Johnson write
s:
>
> Of course this is dangerous, but there is a demand for it. Not everyone
> wants bomb-proof security. I wrote a self-decrypting archive program once,
> and the people using it are happy with it. It would be easy, of course, to
> substitute any malicious code you please, but sometimes that threat is much
> less concern than the fact that some people just plain wouldn't use any
> crypto at all without this option. The real cure, of course, is to so
> tightly and easily integrate security into email that it is as easy as this
> to use, but not as risky.
There's bomb-proof security, and there's "security" that itself is a time
bomb. I fear that self-extracting decryptors are much closer to the latter
than to the former -- very much closer.
You encrypt things because you think someone is trying to read them: if
no one is trying to read a file, why protect it? Self-decrypting files
are vulnerable to the simplest of active attacks. That in turn is likely
to leak the password to all the other files. (Yes, one can come up with
elaborate key management schemes to avoid that -- but if you're going to go
to that much trouble, why not just install a real security package?)
What you really have is a level of security about equivalent to rot13
or commercial telegraphy codes. You're safe against casual eyeballing --
someone happens to see it -- say, a system administrator working on the
mail system -- but won't bother to decrypt it. You have no protection
beyond that.
Sure, there's demand for it. There's also demand for all sorts of other
service that, if not illegal everywhere, aren't precisely looked upon
with favor by most segments of society. More or less by definition,
most folks on this list are in the security business. We're not helping
our own reputations if we peddle snake oil. And if neither the moral
aspect nor the practical aspect worry you, try the legal side of things --
explain the whole situation to a lawyer, and ask how strong a disclaimer
and a warning you need to protect you against a lawsuit -- a lawsuit that
may bankrupt you even if you win because your warning was strong enough.
(As an aside, this morning I happened to see some other site peddling
a similar product. But another product on the same Web page advertised
versions of the software with algorithms approved for British government
use by CESG. I wonder if they had to take out this particular misfeature
from that version of the product...)
