Efail or OpenPGP is safer than S/MIME

Robert J. Hansen rjh at sixdemonbag.org
Mon May 14 11:42:19 CEST 2018

>> We hesitate to require the MDC also for old algorithms (3DES, CAST5>
>> because a lot of data has been encrypted using them in the first
>> years of OpenPGP.
> So if someone sends me a 3DES-encrypted mail it won't check the MDC?
> Doesn't gpg still support reading 3DES?

Let's try it and find out.  :)

PS C:\Users\rjh> gpg --recipient 0xB44427C7 --cipher-algo 3DES
--disable-mdc --encrypt --sign foo.cc
gpg: 0xB44427C7: skipped: public key already present
gpg: WARNING: encrypting without integrity protection is dangerous

PS C:\Users\rjh> gpg foo.cc.gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: encrypted with 256-bit ECDH key, ID AA24CC81B8AED08B, created
      "Robert J. Hansen <rjh at sixdemonbag.org>"
File 'foo.cc' exists. Overwrite? (y/N) y
gpg: Signature made 05/14/18 05:40:46 Eastern Daylight Time
gpg:                using EDDSA key 4BF2042AE28F62B81736E8CBA83CAE94D3DC3873
gpg: Good signature from "Robert J. Hansen <rjh at sixdemonbag.org>" [ultimate]
gpg:                 aka "Robert J. Hansen <rob at enigmail.net>" [ultimate]
gpg:                 aka "Robert J. Hansen <rob at hansen.engineering>"
gpg: WARNING: message was not integrity protected

... Yep, GnuPG will warn you the message was not integrity protected.
Your email client should see this warning and refuse to render the message.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180514/9ee8ba85/attachment.sig>

More information about the Gnupg-users mailing list