|
|
|
|
|
|
by syscomet
3352 days ago
|
|
|
Those figures are both good and depressing to know, thanks. I figured the PGP usability problems were severe enough that I did not call you out by name in the post. This aspect was merely a darkly amusing aside leading into the main point of how the Golang devs handled this so well. You didn't know the content of the report, so the irony is only clear in retrospect: the whole point of the report was about vulnerability to MitM attack and email MX->MX delivery is highly susceptible to that without some kind of trust anchoring in place, whether DANE or MTA-STS, neither or which is in place for the golang.org domain. So the fact that TLS is _advertised_ by the gmail servers, which handle golang.org mail, doesn't mean that the advertisement reaches the sending mail-server. I've since configured my mail-servers to always require verified TLS for outbound mail to the golang.org domain, as a manual override. |
|
|
* If you can get remote code execution in a Go program, use PGP. Otherwise do not.