Hi August,
On 2022-01-29 09:12:00, you wrote to me:
AA>>> They do however store the passphrase using a SHA-1
AA>>> hashcode. I thought SHA-1 was depricated.
WvV>> It is considered no longer safe, afaik...
AA> But does it matter so much if the keymanagement is local on the
AA> client?
It always matters!
AA> However, it is somewhat astonishing that SHA-1 was/is even used
AA> in the design.
Indeed. Which makes you question if they made other mistakes.
WvV>> An attacker with enough resources could in theory find
WvV>> some or all passwords. And of course that becomes
WvV>> progressively easier in the future...
AA> I am not impressed with the reports that people can process
AA> millions of hashes per second using dedicated GPUs. So what if
AA> the hashes are decoded. They can't do anything with them to
AA> target millions of people enmasse anyway. I think they would
AA> have to target SPECIFIC accounts and run the passwords one by
AA> one.
AA> In Safester, the decoded hash would reveal the passphrase, but
AA> the decrypting of the messages would be useless without the
AA> user's key which would reside in the local Safester prog or
AA> app.
Well if your life depended on it, would you rather use Safester or Opengpg?
WvV>> So you can only exchange messages with other Safester
WvV>> users.
AA> Yeah. :( But it's not as bad as it sounds! ;) I think that
AA> may be better than forcing people to try DeltaChat as a 1st-
AA> time venture into secure communications.
The biggest drawback to me is you depend on a commercial company for your
secure mail. What if someone pays them a big sum for being able to eavesdrop on
your conversations, will they make a backdoor? What if they go bankrupt? Is
your mail lost forever?
Bye, Wilfred.
--- FMail-lnx64 2.1.0.18-B20170815
* Origin: FMail development HQ (2:280/464)
|
