WinZip to the rescue

Jonathan Peterson JPeterson at
Fri Nov 23 13:13:29 GMT 2007


Thanks to recent errors by our friends in Whitehall, our company has 
decided to care about encrypting things a bit. In particular some not 
massively interesting mailing lists that get sent to shipping companies. 
I'm struggling to find a better alternative than encrypted zip files with 
a strong and seperately faxed password.

Despite plenty of criticism around winzip 9.0's AES implementation, I'm 
struggling to find any concrete evidence that it's easy to break. I only 
see brute force attacks widely available, and they all seem slow enough 
not to matter (200/s).

The main drawback to using winzip, is that you are using winzip. It just 
sounds hopelessly noddy. Of course, in the event of an audit you describe 
it as "We send data using 256-bit AES encryption" which sounds much 
better, but still, you have to wonder.

All the usual restrictions about the recipient being a technically dull 
worker drone apply, so fancy solutions are a non-starter.


* Please don't mention PGP. Nobody's mentioned it to me for years, and the 
feeling is wonderful.
* Please don't mention man in the middle attacks, because I don't care 
about them**.
* Please don't talk about digital signatures, and trust networks, because 
I don't care about them either***.

**  Because I'm only worried about email's being embarrassingly mis-sent, 
or naughtily copied, not being intercepted by elite haxx0rz.
*** That's in the strong, existential sense of not caring - you know, like 
not caring about Britney.

Jonathan Peterson
BMJTechnology, +44 (0)20 7383 6092
jpeterson at

The BMJ Group is one of the world's most trusted providers of medical information for doctors, researchers, health care workers and patients  This email and any attachments are confidential.  If you have received this email in error, please delete it and kindly notify us.  If the email contains personal views then the BMJ Group accepts no responsibility for these statements.  The recipient should check this email and attachments for viruses because the BMJ Group accepts no liability for any damage caused by viruses.  Emails sent or received by the BMJ Group may be monitored for size, traffic, distribution and content.  BMJ Publishing Group Limited trading as BMJ Group.  A private limited company, registered in England and Wales under registration number 03102371.  Registered office: BMA House, Tavistock Square, London WC1H 9JR, UK.

More information about the mailing list