[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Concerned about Pretty Safe Mail for Mac



  I'm concerned about the product "Pretty Safe Mail" for the Macintosh,
by a company called Highware. I was wondering whether anyone here had
tried evaluating it at all.

  It is a complete PGP implementation (not a front-end). They claim
to have licensed some of PRZ's code from PGP. However, as far as I
can tell, they are not making any of the source code available.

  As someone on the comp.security.pgp newsgroups pointed out, writing
a wonderful user interface on a PGP trojan horse that either crippled
the session key generator or used the session key to leak random
portions of secret key primes would be a perfect tactic for a
government wishing to penetrate PGP security. With such a great
interface, compared to the original PGP, it can't help but become
widely used.

  I realize that without the source code, it's a major hassle, but
has anyone looked at Pretty Safe Mail (previously called Safemail)
at all for suspicious behavior? For example:

  1) non-random session key generation?
  2) non-random key pair generation?
  3) unnecessary disk access to secret keys?
  4) anything else?

  Any findings, positive or negative, would be appreciated.