From: Jeremey Barrett <jeremey@veriweb.com>
Date: Fri, 7 Mar 1997 15:55:49 -0800 (PST)
To: anand@querisoft.com
Subject: Re: SecureFile
Message-ID: <33203B5E.28D8E637@veriweb.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

> Querisoft's SecureFile v1.0 Beta for Windows NT and Windows 95 (with IE
> 3.x) is now available
> for download from http://www.querisoft.com/securefile.html. This is one
> of the first client
> applications that uses Microsoft's CAPI 2.0 (beta)

Umm... reading your faq... (http://www.querisoft.com/SFFAQ.html) you
state that you use the windows95 user password as the password for
encrypting files. You also seem to imply that you don't actually
_ask_ for the password, windows gives it to you (albeit hashed
or something already, I imagine). If that is the case, that is extremely
worrisome. In fact it's outrageous.

That would imply that any _other_ application, benign or evil, could
also 
access the same password and immediately decrypt files.

Is that so? (Not coding much on windows, I don't know if applications
can access the user's hashed or encrypted password, but I would guess
they could.)

Jeremey.

- -- 
=-----------------------------------------------------------------------= 
Jeremey Barrett                                  VeriWeb Internet Corp.
Crypto, Ecash, Commerce Systems                  http://www.veriweb.com/

PGP Key fingerprint =  3B 42 1E D4 4B 17 0D 80  DC 59 6F 59 04 C3 83 64
=-----------------------------------------------------------------------=

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMyA7YS/fy+vkqMxNAQGVSAP/dc1ZwWdfdJZ8gfJNUY3tias5LZi3pWzf
NihyMClArDG7Nb+XQ+s+EILi+FCMCJgtnxoc5AYGW/M/2YlHq9P0ZsUG/PQCgP9x
3+rHi8Zl2BIEqhbkKh0RfAo1Ag6/gSygpTKJz+jQCb440FpTT1CpFCKyN5HSNczc
ZuJwhM4Fzi4=
=ao2E
-----END PGP SIGNATURE-----