Encryption on Mailing lists sensless?

Ingo Klöcker kloecker at kde.org
Sat Nov 22 00:49:00 CET 2014


On Thursday 20 November 2014 14:36:35 Schlacta, Christ wrote:
> On Nov 20, 2014 1:58 PM, "Ingo Klöcker" <kloecker at kde.org> wrote:
> > On Tuesday 18 November 2014 22:43:18 MFPA wrote:
> > KMail encrypts an individual copy for each BCC recipient. I thought
> > Thunderbird+Enigmail would also do this.
> > 
> > Any mail client not doing this completely subverts BCC (unless
> 
> --throw-keyids
> 
> > or --hidden-recipient is used, but even throwing the key IDs still leaks
> 
> the
> 
> > number of hidden recipients).
> 
> There's nothing preventing a list server or mail client from intentionally
> adding a pseudo random quantity of invalid or junk keys to the recipient
> list, thus obfuscating the number of additional recipients, only providing
> an upper bound to the estimate.

Adding additional junk keys doesn't help if the recipient (or the recipients) 
expect a certain number of recipients. If the message is encrypted to more 
than (expected number of recipients)+1 (for encrypt to sender) then the 
recipients most likely will wonder who the other recipients are. You'll have a 
hard time convincing them that the "other recipients" are just fakes to 
confuse a third party intercepting the messages.


Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20141122/d7262847/attachment.sig>


More information about the Gnupg-users mailing list