ZeroClick, poor encryption tools for NHS?

[Paul Leyland]

> Forgive me if this has been mentioned before, if it has I missed it.
> ZeroClick appears to be a "security reducing automation tool". It is a
> 'bot which makes the usage of PGP transparent to the user.
> 
> The problem is an uneducated user is likely still likely to 
> be duped. It
> requires no user intervention, it will automatically encrypt messages
> based on simple rules, and automatically decrypt upon 
> receiving encrypted
> messages. So decrypted plaintext messages stored on the 
> hardware, which
> can be forwarded to a newsgroup or mailing list with a worm not unlike
> Caligula. Caligula sent PGP keyrings to the Codebreakers ftp 
> or web site.

What is your threat model?

If the concern is messages being read in transit, and you're not worried
about the security of messages in a storage medium at each end, ZeroClick
sounds a great advance on either doing nothing or on antagonizing a large
number of users who really don't want any extra hassle.

Whether this is a reasonable threat model is open to question.

Bringing in Trojans/viruses/worms is a bit of a red herring.  If we
presuppose their existence on a target machine, we can just as easily posit
their capability to compromise keys and plaintext whatever communications
security mechanisms are in place.   Proper host security is important,
independently of the comms security.


Paul