Encryption on Mailing lists sensless?
Ingo Klöcker
kloecker at kde.org
Sat Nov 22 00:49:00 CET 2014
On Thursday 20 November 2014 14:36:35 Schlacta, Christ wrote:
> On Nov 20, 2014 1:58 PM, "Ingo Klöcker" <kloecker at kde.org> wrote:
> > On Tuesday 18 November 2014 22:43:18 MFPA wrote:
> > KMail encrypts an individual copy for each BCC recipient. I thought
> > Thunderbird+Enigmail would also do this.
> >
> > Any mail client not doing this completely subverts BCC (unless
>
> --throw-keyids
>
> > or --hidden-recipient is used, but even throwing the key IDs still leaks
>
> the
>
> > number of hidden recipients).
>
> There's nothing preventing a list server or mail client from intentionally
> adding a pseudo random quantity of invalid or junk keys to the recipient
> list, thus obfuscating the number of additional recipients, only providing
> an upper bound to the estimate.
Adding additional junk keys doesn't help if the recipient (or the recipients)
expect a certain number of recipients. If the message is encrypted to more
than (expected number of recipients)+1 (for encrypt to sender) then the
recipients most likely will wonder who the other recipients are. You'll have a
hard time convincing them that the "other recipients" are just fakes to
confuse a third party intercepting the messages.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20141122/d7262847/attachment.sig>
More information about the Gnupg-users
mailing list