>PGP will release unauthenticated plaintext to its callers and count on them to ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		ubercow13 on Feb 19, 2020 \| parent \| context \| favorite \| on: Stop Using Encrypted Email >PGP will release unauthenticated plaintext to its callers and count on them to check out-of-band errors to see that the plaintext isn't safe Is that problem the same as this one? https://github.com/FiloSottile/age/issues/59

tptacek on Feb 19, 2020 [–]

It is not, no. The problem we're talking about allows you to exfiltrate plaintext from messages you don't have the keys for, which you can do because PGP makes the ciphertext of messages malleable. This Age discussion pertains to entire messages that attackers construct from scratch under their own keys.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact