[Enigmail] spoofability of inline-signed messages in enigmail
Robert J. Hansen
rjh at sixdemonbag.org
Wed May 6 09:29:03 PDT 2009
Daniel Kahn Gillmor wrote:
> But these injections seem dubious due to their spoofability.
On the one hand, I agree with you; on the other, I think history shows
this is not a pressing concern. PGP Desktop did basically the same
thing for years, and I'm unaware of any successful spoofing attacks that
were applied against it.
That said, this is still something best addressed sooner rather than
later. We should be wary of falling into the Russian Roulette Fallacy,
where just because something hasn't historically been a problem we
assume it will never be a problem.
(For those who've never heard of the RRF -- in American English,
"Russian roulette" is placing a single bullet into a revolver, spinning
the cylinder, putting it at your head and pulling the trigger. If
you're lucky enough to survive pulling the trigger once, you shouldn't
take that as evidence that you can keep doing it.)
More information about the Enigmail
mailing list