Re: Is YellowCrypt OK?
From: simon (ablv-ccop_at_spamex.com)
Date: 13 Jul 2005 00:18:55 -0700
Gregory G Rose schrieb:
> Suppose there's an undercover worker in a
> dangerous place, and she gets a piece of email
> with an attachment (or whatever) that claims to
> be content encrypted with Yellowcrypt (or
> something else, it doesn't matter). She opens
> this email by clicking on the attachment, or
> nothing cryptographic preinstalled on her
> Given that what she has received has come through
> the hostile government to get to her, how can
> Yellowcrypt (or anything else) guarantee the
> security of the contents and the safety of the
> recipient? It could be a totally hostile message
> that installs a trojan horse on her computer and
> emails her password back to the government.
> So, please explain how your product guarantees
> this worker's safety.
Well, just for starters, PGP cannot solve this problem at all. The act
of having PGP on his system would already put the undercover worker
straight into jail. The same would hold for encrypting his disk.
Again, you have not read the documentation on the YellowCrypt Web site,
let alone tried the program.
The fact is, that no matter what is sent to the undercover worker as a
faked attachment, the on-line YellowCrypt read&reply program will not
be able to open it unless it is an authentic YellowCrypt message. The
latter includes the ID of the sender. This ID is part of the
registration process. The activation code which produces the ID is - of
course - encrypted. And then there is still the message password issue.
In practice the evil power would have to take over the system of a
different underground worker and force the possesor to reveal his
password. From then on the evil power could pretend to be the captured
Of course in the case of PGP the same holds true. If I take over the
PGP PC I might not even need to know any PGP connected passwords for
the keystore. All I have to do is crack the Windows password - in about
2 seconds - and with a bit of luck, all the rest will be done fully
automatically. That is the authentification will be correct and the
e-mail will be encryted automatically, unless set up otherwise.
This is not the case with YellowCrypt. The password has to be keyed in
On the other hand if PGP was set up properly - i.e. with nothing
running automatically - it will achieve the same security as is offered
by YellowCrypt for the case in question.