TID: FMail-lnx64 2.1.0.18-B20170815   
   RFC-X-No-Archive: Yes   
   TZUTC: 0100   
   CHRS: UTF-8 2   
   PID: GED+LNX 1.1.5-b20161221   
   MSGID: 2:280/464 61f56ba8   
   REPLY: 2:221/1.58@fidonet f8e44f3a   
   Hi August,   
      
   On 2022-01-29 09:12:00, you wrote to me:   
      
    AA>>> They do however store the passphrase using a SHA-1   
    AA>>> hashcode.  I thought SHA-1 was depricated.   
      
    WvV>> It is considered no longer safe, afaik...   
      
    AA> But does it matter so much if the keymanagement is local on the   
    AA> client?   
      
   It always matters!   
      
    AA> However, it is somewhat astonishing that SHA-1 was/is even used   
    AA> in the design.   
      
   Indeed. Which makes you question if they made other mistakes.   
      
    WvV>> An attacker with enough resources could in theory find   
    WvV>> some or all passwords. And of course that becomes   
    WvV>> progressively easier in the future...   
      
    AA> I am not impressed with the reports that people can process   
    AA> millions of hashes per second using dedicated GPUs.  So what if   
    AA> the hashes are decoded. They can't do anything with them to   
    AA> target millions of people enmasse anyway. I think they would   
    AA> have to target SPECIFIC accounts and run the passwords one by   
    AA> one.   
      
    AA> In Safester, the decoded hash would reveal the passphrase, but   
    AA> the decrypting of the messages would be useless without the   
    AA> user's key which would reside in the local Safester prog or   
    AA> app.   
      
   Well if your life depended on it, would you rather use Safester or Opengpg?   
      
    WvV>> So you can only exchange messages with other Safester   
    WvV>> users.   
      
    AA> Yeah.  :(  But it's not as bad as it sounds!  ;)   I think that   
    AA> may be better than forcing people to try DeltaChat as a 1st-   
    AA> time venture into secure communications.   
      
   The biggest drawback to me is you depend on a commercial company for your   
   secure mail. What if someone pays them a big sum for being able to eavesdrop   
   on your conversations, will they make a backdoor? What if they go bankrupt? Is   
   your mail lost forever?   
      
   Bye, Wilfred.   
   --- FMail-lnx64 2.1.0.18-B20170815   
    * Origin: FMail development HQ (2:280/464)   
   SEEN-BY: 1/123 15/0 30/0 90/1 105/81 106/201 120/340 123/131 124/5016   
   SEEN-BY: 129/330 153/757 7715 154/10 203/0 221/0 1 6 226/30 227/114   
   SEEN-BY: 229/110 206 317 400 424 426 664 700 240/5832 266/512 280/464   
   SEEN-BY: 280/5003 282/1038 292/854 8125 301/0 1 101 310/31 317/3 320/219   
   SEEN-BY: 322/757 342/200 396/45 423/120 460/58 712/848 770/1 2452/250   
   PATH: 280/464 301/1 229/426