[messaging] Exposing MITM attacks socially engineered through group chat introductions

carlo von lynX lynX at i.know.you.are.psyced.org
Sun Feb 1 02:22:20 PST 2015

On Sun, Feb 01, 2015 at 02:53:24AM +0100, Jeff Burdges wrote:
> Anyways, the problem with the current situation is : If we do not identify a “fingerprint” that’s safe to publish, then users imagine they can publish the identity key, the public key, or both.  
> This is not an academic discussion, multiple savvy users have told me they assumed they could publish both. 

I wouldn't expect the minority of existing PGP users to
be relevant. Would anyone else have the impulse to publish 
a series of apparently random characters anywhere.

Is there any reason at all why this data is being displayed 
by the UIs? I don't see any use for it anywhere. Manual keying 
works by exchanging armors, no need to ever look at fingerprints.

  E-mail is public! Talk to me in private using Tor.
  torify telnet loupsycedyglgamf.onion		DON'T SEND ME
          irc://loupsycedyglgamf.onion:67/lynX  PRIVATE EMAIL
         http://loupsycedyglgamf.onion/LynX/    OR FACEBOOGLE

More information about the Messaging mailing list