Security suggestion.

32 views
Skip to first unread message

whoson...@gmail.com

unread,
May 21, 2017, 10:36:04 AM5/21/17
to EncryptPad
Thanks I'm loving EncryptPad!

I was wondering if it would be possible to have EncryptPad display garbled text as apposed to not letting you proceed when a wrong password is entered. I figure someone can easily write a program to guess passwords.

Evgeny Pokhilko

unread,
May 22, 2017, 10:22:38 AM5/22/17
to EncryptPad
Hello,

Yes, there is integrity check. This feature (or issue, depending on how you look at it) is not something that EncryptPad introduced. It's an integral part of OpenPGP. If removed, OpenPGP protocol will not be followed (see rfc4880). Why this feature was not considered a weakness when OpenPGP was designed is another question. I will investigate as time allows.

Cheers,
Evgeny
> --
> You received this message because you are subscribed to the Google Groups "EncryptPad" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to encryptpad+...@googlegroups.com.
> To post to this group, send an email to encry...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/encryptpad/9333c010-187d-46d8-bd5c-8345e69d3b74%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.


--
Evgeny Pokhilko <soft...@evpo.net>

Evgeny Pokhilko

unread,
Jun 23, 2017, 5:48:02 AM6/23/17
to EncryptPad
I have done some research regarding this topic. The community on a gnupg security forum does not consider the integrity check a weakness or threat. In addition, I found a study that discovered a vulnerability that was rectified by integrity verification. See the link below:

https://www.schneier.com/academic/archives/2002/01/implementation_of_ch.html

On Tue, 23 May 2017 00:22:29 +1000
Evgeny Pokhilko wrote:

> Hello,
>
> Yes, there is integrity check. This feature (or issue, depending on how you look at it) is not something that EncryptPad introduced. It's an integral part of OpenPGP. If removed, OpenPGP protocol will not be followed (see rfc4880). Why this feature was not considered a weakness when OpenPGP was designed is another question. I will investigate as time allows.
>

--
Evgeny Pokhilko <soft...@evpo.net>
Reply all
Reply to author
Forward
0 new messages