[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGP's "only for your eyes"



In article <[email protected]> [email protected] (Chris McAuliffe) writes:

> 	Maybe some of you already know about this.
> 
> 	Whe reading PGP's "Only for your eyes" messages, the program
> 	creates a temporary file containing the plaintext in the
> 	directory where the cyphertext file is.
> 
> 	So, don't worry about this option, it's quite useless.
> 
> The manual points out that you shouldn't rely on it. Its main purpose is
> simply to prevent accidentally or automatically leaving the plaintext
> lying around, not to actually securely guarantee that behaviour. After
> all, you could always cut-and-paste the text, or (since you have the PGP
> source) alter PGP to ignore the flag.

I've gotten burned by this because it created a temp file over NFS.
If I'd been able to read the message with my mail reader "pgp -f", I
would not have disclosed the information.  The for your eyes only
option is more than useless, it's dangerous.

> The real problem is not what it does, but what people *think* it might
> do.
> 
> I take that back. When I check the manual, it doesn't say that it is
> insecure. It really ought to. At least one of the books about PGP does
> though, I know I've read it somewhere other than email.

David