top | item 46494027

(no title)

bgwalter | 1 month ago

Accidentally replying in plaintext is a user error, scanning a QR code is a user error.

Yet one system is declared secure (Signal), the other is declared insecure. Despite the fact that the QR code issue happened in a war zone, whereas I have not heard of a similar PGP fail in the real world.

discuss

tptacek|1 month ago

First of all, accidentally replying in plaintext is hardly the only problem with PGP, just the most obvious one. Secondly, it's not user error: modern messaging cryptography is designed not to allow it to happen.

bgwalter|1 month ago

Modern cryptography should also not allow users to activate a sketchy linked device feature by scanning a QR code:

"Because linking an additional device typically requires scanning a quick-response (QR) code, threat actors have resorted to crafting malicious QR codes that, when scanned, will link a victim's account to an actor-controlled Signal instance."

This is a complete failure of the cryptosystem, worse than the issue of responding in plaintext. You can at least design an email client that simply refuses to send plaintext messages because PGP is modular.