Something to consider is that the attack is only practical if you have gpg decrypt every incoming email as it arrives. If you only decrypt from known senders, and verify the signature first, this wouldn’t be a problem. In short, setting things up so that encrypting all email is convenient leaves you more exposed to attacks.
I’ve become sort of obsessed with how the clamor to “encrypt all the things” may result in a net reduction of security. Basically, encryption is a signal that something is important, and as we encrypt everything, we lose that signal and start lumping priority info and junk into the same bucket.
Reminds me of a similar paper1, by the same author, covering the recovery of GPG keys by recording the coil whine sounds from a laptop.
If I would have seen this kind of stuff in a crime TV show like CSI first, I would have ridiculed the idea.
Something to consider is that the attack is only practical if you have gpg decrypt every incoming email as it arrives. If you only decrypt from known senders, and verify the signature first, this wouldn’t be a problem. In short, setting things up so that encrypting all email is convenient leaves you more exposed to attacks.
I’ve become sort of obsessed with how the clamor to “encrypt all the things” may result in a net reduction of security. Basically, encryption is a signal that something is important, and as we encrypt everything, we lose that signal and start lumping priority info and junk into the same bucket.