A Solution for Sending Messages Safely from EFAIL-safe Senders to EFAIL-unsafe Receivers
Mirimir
mirimir at riseup.net
Tue May 29 21:22:33 CEST 2018
On 05/28/2018 12:15 AM, Werner Koch wrote:
> On Thu, 24 May 2018 00:05, gnupg-users at spodhuis.org said:
>
>> up at <https://github.com/autocrypt/memoryhole>.
>
> Given that I see more and more mails with "Encrypted mail" as subject,
> this feature is getting more and more annoying. It will eventually not
> anymore possible to pre-sort mails as it is commonly done either mental
> of by tools. Well, some MUAs might be able to auto-decrypt whole
> folders but that opens a more severe security problem (e.g. Tempest
> oracle) than having a plaintext subject.
That is problematic for me, because I choose to store messages
encrypted. My correspondents and I do use generic subject, but it's not
uncommon to have long, branching threads. So it's very difficult to find
old stuff. No search, without mass decryption. Maybe Enigmail needs a
search extension ;)
> We can't enforce technical security without proper OPSEC. Regarding the
> Subject, Reference, etc, it is way easy and more secure to educate the
> user about the fact that only the content is _end-to-end_ encrypted and
> other parts, like the Subject, are required to be plaintext for proper
> routing and mail handling.
I've started playing with HeaderToolsLite in Thunderbird. One can redact
many headers without affecting delivery, as I recall. But it's tedious.
Maybe I ought to go back to terminal clients.
> Regarding the subject there is a simple and also fun solution: If you
> need to hide the subject, use a nonsense phrase instead. Such a phrase
> makes mental pre-sorting as effecitive as an on-topic subject.
Or perhaps ~25 character ~random strings. That way, I could easily keep
notes about threads that I care about. That wouldn't be in Thunderbird,
and the VM host is LUKS encrypted. Or I could use tomb.
> Shalom-Salam,
>
> Werner
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
More information about the Gnupg-users
mailing list