Huge Cajones Remailer writes:
It'd be nice to have more specifics about the whole situation, but regardless - any preliminary threat assessments? Exactly how widely exploited do you think this has been?
Tim's post (although refuted by Marc) raises some serious issues since I suspect that Joe Public has his secret key sitting in c:\pgp\secring.pgp
Of course that's IDEA-encrypted (or maybe something better in PGP 5) so the attacker would need a lot of compute power to brute-force the key. I wouldn't worry too much about someone getting my secring.pgp. However I would worry about them getting my mail folder, my .rhosts, my /etc/password, etc.
Some coherent input on the possible impact of this would be appreciated.
Yes, a description of the exploit would be very helpful. It should be fairly easy to hack a proxy to search and destroy the Java/Javascript CaptiveX attacklet as it's being received. -- Eric Murray ericm@lne.com Network security and encryption consulting. PGP keyid:E03F65E5