I am using PGP 10.1.1.10.

There was in the news recently a story about the hacking of an online conference between the FBI and law enforcement agencies in Europe.  This was accomplished by the group Anonymous after one of the European attendees forwarded his email invitation for the conference to his private email account whereupon Anonymous was able to steal it and read it and retrieve the conference passcode.

I asked myself, "If the FBI used PGP, couldn't that threat to steal the contents of the email message have been minimized if the FBI had chosen PGP's Secure Viewer feature when the email was encrypted?"  The answer, I'm sorry to say, is probably 'no'.  This is because the PGP email proxy will (usually) decrypt the email to a permanently readable form even if it was encrypted with the Secure Viewer option selected!

I tried these experiments.  During each of them, the passphrase for my PGP key was cached:

Experiment 1: I composed a text email message to myself, then encrypted the body of the text message to my PGP key and I chose the Secure Viewer option.  I sent the email 'in the clear' to make sure the email proxy performed no further encryption or signing operations on the email.  Then I received the email and allowed the PGP email proxy to process it.  The email was fully decrypted to readable text.  The Secure Viewer requirement for the email was defeated!

Experiment 2: I compose a text message in a text file called 'My_Secure_Viewer_Message.txt'.  I then used PGP to encrypt it to my PGP key specifying again the Secure Viewer option.  The file now had the name 'My_Secure_Viewer_Message.txt.pgp'.  I attached the file to a text email which I sent to myself.  I made sure that the email proxy performed no further encryption or signing operations as the email was sent.  Then I received the email and allowed the PGP email proxy to process it.  The attachment was fully decrypted to readable text and now had the name "My_Secure_Viewer_Message.txt'.  Again, the Secure Viewer requirement for the file was defeated!

Experiment 3: I renamed the encrypted attachment file from 'My_Secure_Viewer_Message.txt.pgp' to 'My_Secure_Viewer_Message.txt'.  I thought that maybe if the PGP email proxy did not see the extension .pgp then perhaps it wouldn't automatically decrypt the file.  I was wrong!  After receiving a new text email with this attachment through the PGP email proxy, the attached text file was fully decrypted to readable text.  The name of the file was still 'My_Secure_Viewer_Message.txt'.

Experiment 4: I renamed the encrypted attachment file to 'My_Secure_Viewer_Message.xyz'.  I theorized that maybe the PGP email proxy would always examine and decrypt .txt files and .pgp files (even those encrypted with the Secure Viewer option) but it would ignore anything else.  I attached the file to a text email and sent it to myself 'in the clear'.  In other words, the email proxy performed no further encryption or signing operations on the email as the email was sent.  After I received the email through the email proxy, the attachment remained encrypted and the name of the attachment remain unchanged.  I then saved the file from the email to disk and renamed it 'My_Secure_Viewer_Message.txt.pgp'.  Then, from Windows Explorer I double-clicked on the file.  Since my PGP key's passphrase was already cached, PGP immediately decrypted the file and displayed it in the Secure Viewer window.  Finally, success!

Does anyone have any thought about this?  Could Secure Viewer be implemented better in PGP?

Neil - Salem, MA USA