OpenPGP SEIP downgrade attack
metzdowd.comThe flaw he appears to be talking about is that the OpenPGP MDC doesn't cover metadata; the message must be parsed to recover the authenticator before the authenticator can be checked, and so the ciphertext is malleable.
The properties he's talking about for CFB are largely true of CTR as well (the gold standard in streaming modes). I think, by suggesting PGP use a "different mode", he may instead mean it would be better if PGP used an authenticated encryption mode.
Authentication is a weak spot for PGP, since its design predates much of authenticated cryptography.
Indeed, further down the thread Werner Koch suggests the solution is deploying AEAD modes, but the bottleneck is other implementations picking it up.
As an aside, I'm surprised this got posted to cryptography@metzdowd, the S/N on that list is so low I'm surprised anyone still bothers to read it.
Thanks for the clear translation of the issue.
So the message is: don't trust the integrity of encrypted mails unless the signature is valid? That doesn't seem too terrible.
GPG comes through again. Not ideally but acceptably for the paranoids. :)