×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Flaw Discovered in GPG

CowboyNeal posted more than 8 years ago | from the enemy-within dept.

151

WeLikeRoy writes "A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. It is possible for an attacker to take any signed message and inject extra arbitrary data without affecting the signed status of the message. Depending on how gpg is invoked, it may be possible to output just faked data as several variants of this attack have been discovered. All versions of gnupg prior to 1.4.2.2 are affected, and it is thus recommended to update GnuPG as soon as possible to version 1.4.2.2."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

151 comments

Oh no! (4, Funny)

MyLongNickName (822545) | more than 8 years ago | (#14888032)

A serious security issue in GPG! We are all doomed!

what is GPG?

Yeah, I will go RTFA. However, summaries that assume you are familiar with an acronym are rude, IMHO ;)

Not a fundamental flaw. (5, Interesting)

aprilsound (412645) | more than 8 years ago | (#14888075)

From TFA:
The attack is to change a standard message to inject faked data (F). A simple case is this: F + O + D + S gpg now happily skips F for verification and does a proper signature verification of D and if this succeeds, prints a positive result. However when asked to output the actual signed data it will output the concatenation of F + D and thus create the impression that both are covered by the signature.

So this is a simple mistake made by GPG, in an effort to coexist well with email and the like.

In other words, GPG looks at an email message and sees headers and the like. Of course, the headers were not signed (just the message), so GPG skips them and when it encounters the signed message, it begins to verify the signature.

So, if you are an attacker, you insert something before or after the signed message, and when GPG goes to verify it, the signed message passes, but GPG nicely prints out the whole message for you, instead of just the signed part. Oops, not a big deal, encryption isn't broken, in fact this is just an application bug.

Re:Not a fundamental flaw. (0, Troll)

Anonymous Coward | more than 8 years ago | (#14888089)

Ah, the famous "I want to be near the top, so I will reply to something that isn't related to what I am posting so I can get karma".

Enigmail is fine... (2, Insightful)

bazald (886779) | more than 8 years ago | (#14888759)

...as it is already designed to tell you precisely what part of the e-mail is signed. Is there a more convenient way to handle GPG for e-mail than enigmail anyway?

Re:Not a fundamental flaw. (3, Interesting)

linhux (104645) | more than 8 years ago | (#14889303)

Sorry, but this like a big deal to me. The whole point of digital signatures is that you can know exactly what has been signed by the signer -- and be sure that nothing has been added and removed on the way. Consider this e-mail:

From: BOSS@CORPORATE.COM
To: MIDDLEMANAGER@CORPORATE.COM
Subject: Employee Burt Reynolds

That's a fine lad! Let's give him a raise!

-- Boss

GPG SIGNATURE VERIFIED: BOSS@CORPORATE.COM


Now, this message can be intercepted and a new part inserted before the actual message body, without the receiver being notified -- here I have marked the new part with bold text:

From: BOSS@CORPORATE.COM
To: MIDDLEMANAGER@CORPORATE.COM
Subject: Employee Burt Reynolds

Fire him immediately. He is a waste of space.

Employee Foo Bar, on the other hand.
That's a fine lad! Let's give him a raise!

-- Boss

GPG SIGNATURE VERIFIED: BOSS@CORPORATE.COM


The message meaning has been completely altered, and GPG still verifies the signature. Feels like a big deal to me. But of course, I might have completely missed something.

GPG is: (4, Informative)

Black Copter Control (464012) | more than 8 years ago | (#14888250)

what is GPG?

GPG stands for Gnu Privacy Guard. It's the Free(tm) replacement for PGP (Pretty Good Privacy) which was originally developed by RSA. Between them, they are one of the standards for encryption and verification of sensitive data (including email).

As opposed to X509/SSL which seems to be designed for centralized trusted certificate issuers, GPG/PGP depend on a (decentralized) web of trust -- You decide which signatures you wish to trust, and then those signatures can be used to signify who they trust... If you have enough trust in the signature web for a public key you have for someone, then it is presumed that the key is trustable.

GPG seems to be supported by people who include some serious heavyweights in the encryption community.

IANASE (I am not a security expert), so any corrections to this explanation would be much appreciated)

Re:GPG is: (3, Informative)

Zeinfeld (263942) | more than 8 years ago | (#14888305)

GPG stands for Gnu Privacy Guard. It's the Free(tm) replacement for PGP (Pretty Good Privacy) which was originally developed by RSA.

Given the lawsuits that RSA filed to stop PGP this statement could hardly be more wrong. Phil Zimmerman developed PGP as freeware, then released a commercial version of his code and reclaimed the name. GPG is a name chosen to describe the free version.

This crack is not particularly new, the first version of PGP had the problem. The only part of the message that is secure is the part between the begin and end signature bars. PGP/MIME fixes this problem but MIME creates new ones.

PGP Inc sells a fine PGP client that also does a pretty good S/MIME. I have no problem with the PGP protocol or a carefully designed, properly integrated plug in.

What I do have a problem with is the idea that effective security can be delivered as an ad-hoc bolt on to be lashed into place with some perl scripts. If you want to do end-to-end security you have to come to terms with the fact that the real end point is the user.

Re:GPG is: (3, Informative)

Rikus (765448) | more than 8 years ago | (#14888721)

GPG is a name chosen to describe the free version.
This sentence is neither informative nor funny.

No, GnuPG [wikipedia.org] is not the same as PGP [wikipedia.org]. GnuPG was in fact developed to replace PGP, both because PGP is covered by a non-commercial use only license, and (probably) because it by default incorporates the patented IDEA algorithm. Yes, PGP Freeware and GPG are both free and interoperable, but they are not the same thing.

Re:GPG is: (4, Informative)

Martin Blank (154261) | more than 8 years ago | (#14888507)

It's the Free(tm) replacement for PGP (Pretty Good Privacy) which was originally developed by RSA.


No, PGP wasn't developed by RSA; RSA had nothing at all to do with PGP's development. Use of the RSA asymmetric encryption algorithms has been in use since early versions, but PGP itself was developed by Phil Zimmerman, who got into a patent battle with RSA over his use of the algorithm without their permission (although patent co-holder MIT didn't have a problem with it, complicating the situation). A deal was eventually worked out, and the RSA algorithms have been in ever since.

Re:Oh no! (5, Interesting)

Anonymous Crowhead (577505) | more than 8 years ago | (#14888367)

It's funny. Back in the day, when Slashdot was cool, almost everyone would know what GPG was. Most of the articles were like this one. Cool stuff about cool technology. Not politics (aside from GNU) and all the other crap like the "new mouse/keyboard techonolgy of the week" adverts that permeates Slashdot these days.

Re:Oh no! (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14888576)

Just look at the hall of fame [slashdot.org]. Nine out of ten most active stories are drivel that most idiots discuss around the watercooler daily. News for nerds my foot. Also, all you fucking opinionated idiots with modpoints can suck my cock.

Re:Oh no! (-1, Troll)

arcade (16638) | more than 8 years ago | (#14888862)

If you do not know what GPG is, you're not a nerd - and you're on the wrong site.

Seriously: Go away.

Or at least: DO NOT comment articles. It's pretty damn obvious that you don't know enough to do so. And rude? Rude is to be at a site where you obviously do not belong - irritating the people who has frequented the site since the 90s.

Re:Oh no! (0)

Anonymous Coward | more than 8 years ago | (#14889122)

The 90s? I've been on Slashdot since 1986, when I used to dial up to CmdrTaco's 300 baud BBS (if his mom wasn't on the phone) with my Commodore 64.

I haven't been around for quite a few years, since there wasn't a good web browser for the C64 until quite recently. Anything new here? Did the user IDs finally pass 100?

Re:Oh no! (0)

Anonymous Coward | more than 8 years ago | (#14889224)

What's rude is elitism. Get over yourself and your "clique".

Re:Oh no! (3, Funny)

xchino (591175) | more than 8 years ago | (#14889231)

Mod parent down. What a disgusting display of arrogance and elitism. You're the one who shouldn't be here, regardless of how low your UID is.

"If you do not know what GPG is, you're not a nerd - and you're on the wrong site."

  I think about 98% of the science department at any college would tell you exactly what a fucking idiot you are for making such a broadly stupid statement. Are you seriously so deluded that you think the only type of nerd is a computer nerd? And that all computer nerds have heard of this one specific release of a technology rarely used even in business environments? The majority of nerds and geeks don't know what GPG is. People like you and me are the minority, fucking get over it, and get over yourself.

"Seriously: Go away."

Fuck you, you go away. I'd take a complete know-nothing over an arrogant asshole anyday. People like you detract from the value of this site. No one gives a shit you've been here since the 90's. Why don't you go have a plaque made to hang up on your bedrooom wall to show how cool you are? Do you put your slashdot UID on resumes as an acheivement?

"Rude is to be at a site where you obviously do not belong - irritating the people who has frequented the site since the 90s."

  Rude is to act like you are the sole arbitrator of who should and should not be allowed to voice their opinion on an open forum, like you're the fucking gestapo or something. Given the recent history of postings The GP [slashdot.org] has, in the eyes of the users of this site, a better quality of contribution than You [slashdot.org].

  Based on your attitude I can only assume you are a sad, pathetic man, with delusions of some sort of elevated importance via seniority. I, as well as the majority of slashdotter welcome ANYONE who is interested in science, technology, gaming, or any of the various subjects that slashdot covers, including politics, regardless of their ignorance of a certain subject or technology. You're nothing but an eSnob.

Re:Oh no! (0)

Anonymous Coward | more than 8 years ago | (#14889179)

WTF!?! If you don't know what PGP and GPG are, then WTF are you doing reading Slashdot?

Next thing you know you will be demanding that the editors explain what "Linux" is every time they post an article on it.

Whew! (4, Funny)

suso (153703) | more than 8 years ago | (#14888037)

Its a good thing I don't use GPG to sign my emails. Oh wait.

Re:Whew! (1)

jrockway (229604) | more than 8 years ago | (#14888155)

Mails signed with GPG are fine. It's mail that's verified with GPG that can be forged.

Re:Whew! (0)

Anonymous Coward | more than 8 years ago | (#14889192)

Mails signed with GPG are fine. It's mail that's verified with GPG that can be forged.

What good is signing something if you never verify it?

Re:Whew! (5, Funny)

Anonymous Coward | more than 8 years ago | (#14888598)

I have been publishing my GPG key for over a year now and I have yet to have anyone send me an encrypted email. I feel really lonely and unpopular. I'd even read encrypted penis enlargement spam if someone would be thoughtful enough to send me some.

Bug Intentionally Placed? (2, Funny)

Un-Thesis (700342) | more than 8 years ago | (#14888047)

For all the tinfoil hat people out there, I propose that the bug may have been placed intentionally, since GnuPG is, in fact, an opensource community project. So instead of taking hours to obtain a GPG key, the NSA could spend seconds and impersonate an otherwise [strike]paranoid[/strike] privacy-oriented person in typically confidential memos. Maybe a full accounting as to when the bug got there, how it got there, who put it there and the chances of it being purely human error are to be demanded? After all, some people (including myself) have invested some very expensive stakes in the security of GnuPG over the years.

HopeSeekr of xMule

Re:Bug Intentionally Placed? (4, Funny)

Saeed al-Sahaf (665390) | more than 8 years ago | (#14888057)

The NSA secretly seeding Open Source with ingeniously crafted back doors? Never! Not our NSA...

Don't forget Win95! (0, Troll)

Un-Thesis (700342) | more than 8 years ago | (#14888074)

Don't forget the RSA key that had the words "NSA key" in the debug symbols that first made it into windows 98 and stayed there until WinXP SP2!! I feel these things are probably very prevalent; it's already common knowledge every U.S. ISP is pwned by their black boxes, usually also loaned to the FBI and then false-flagged as 'carnivore' (in reality it's an outcropping of ECHELON...err, now ADVISE (see my slashdotted story [slashdot.org]...)

Re:Don't forget Win95! (1)

Isaac-Lew (623) | more than 8 years ago | (#14888174)

Do you seriously think that the NSA would be stupid enough to call their backdoor "NSAkey"?

Re:Don't forget Win95! (5, Funny)

JustOK (667959) | more than 8 years ago | (#14888203)

Don't you think they're smart enough to think that you would think they weren't that stupid?

Re:Bug Intentionally Placed? (2, Interesting)

Anonymous Coward | more than 8 years ago | (#14888092)

After all, some people (including myself) have invested some very expensive stakes in the security of GnuPG over the years.

Ah ha. And how many times did you personally verify the source before you trusted it?

Re:Bug Intentionally Placed? (1)

Data Link Layer (743774) | more than 8 years ago | (#14888207)

As head of security for the company I work for I must check the source code for potential holes and try to fix them or use different encryption software.

Re:Bug Intentionally Placed? (2, Interesting)

larry bagina (561269) | more than 8 years ago | (#14888350)

I guess we should be thanking you for finding this problem. Since you did verify the source code doesn't contain any security holes. You did find the hole, right?

Re:Bug Intentionally Placed? (4, Informative)

aprilsound (412645) | more than 8 years ago | (#14888118)

So instead of taking hours to obtain a GPG key, the NSA could spend seconds and impersonate an otherwise [strike]paranoid[/strike] privacy-oriented person in typically confidential memos.

I realize this is a joke, but just so everyone knows, a little bit of scrutiny would expose a faked message.

If you RTF Mailing List, you will see that the "attack" only allows someone to append or prepend data to the signed message, and then the augmented message is only displayed the way it is because of an application bug in GPG.

No fundamental algorithm is broken, no one has discovered a way to cause collisions. In fact, if you tried to independently verify the signature of the message against the augmented message, it would fail.

What happens is that GPG skips text that is not part of the signed message, such as email headers and the like, then verifies what is signed. Unfortunately, once it's verified, it will output the whole message, leading the user to believe that the whole message was signed.

Again if you checked the signature against the whole message it wouldn't verify, GPG is just being a bit too helpful.

Eat, Drink, and be Merry (-1, Offtopic)

Un-Thesis (700342) | more than 8 years ago | (#14888159)

At least you can laugh this off as if it were nothing. I'm just waiting for the economic crash to occur now that the housing bubble is leaking, war with Iran is imminent (promient Russian MP says March 31st [mosnews.com] (as did Scott Ritter [bellaciao.org]), Bush gave 30-day ultimatum on the 4th [monstersandcritics.com].

As the saying goes, Let's eat drink and be merry, for tomorrow we die.

HopeSeekr [incendiary.ws] of xMule [xmule.ws]

Re:Bug Intentionally Placed? Well, msg headers? (1)

davidsyes (765062) | more than 8 years ago | (#14888950)

Quote from parent: "Unfortunately, once it's verified, it will output the whole message, leading the user to believe that the whole message was signed."

Well, then a little GOOD social engineering could resolve this, right? Some prepend and append markups could help identify what was injected.

Example: (Pre-encrypted)

Begin Encrypted Body HERE:

We snatched the subject at building 232. Skyjack arrived at the field and extracted subject at 2200 hours, and headed 225 True north along evac corridor. Diverted to SSW 45 seconds later, avoiding ....

End Encrypted Body HERE.

=======
Now, the injected part might be:

You are discouraged from complying with the contents of this message.
fasd; ;o7fp 2;4j2;o8ps98f j3;r

Begin Encrypted Body HERE:

We snatched the subject at building 232. Skyjack arrived at the field and extracted subject at 2200 hours, and headed 225 True north along evac corridor. Diverted to SSW 45 seconds later, avoiding ....

End Encrypted Body HERE.
  485wiapeow8r-934-5834u

==========

OK, so is this good enough? Everyone? Anyone?

Alternatively, the message could be sent in duplicate, via another transmission method, or the first decrypt could contain the raw message, but the confirmation (if speed is not of the essence) could be in a plain text message with some of the NON-CLASSIFIED text in the same sequence. Having received it from another secure channel, the authentication could be had by comparing the sensitive with the non-sensitive "sanitized" version. Besides, how would Uncle Sam know when and what the contents of the out-of-channel authentication message be? You could be sending a red herring in the encrypted message JUST to see if they're tampering with your traffic...

Now, if you want something to REALLY worry about... consider your using Amarok to receive songs. How do you KNOW that the packets entering your machine are SAFE. So much CPU processing is going on with your KDE or Gnome GUI and any music scopes and rotating desktops that you really can't KNOW WHAT the hell is in your machine even if you real-time scan or spot-check. Unless you've got a quantum computer or a brain-machine interface with your brain able to process terabytes to the terabyte power, (and enough hours in the day) how will you KNOW your machine isn't back-door attacked by NSA or someone smarter than you. Even if you run Tripwire and other stuff, do you REALY check ALL those checksums. Don't know bout U, but I change enough files all day to just not CARE anymore. Well, except to hope no one's PLANTING stuff or defacing my files.

Re:Bug Intentionally Placed? Well, msg headers? (1)

Schraegstrichpunkt (931443) | more than 8 years ago | (#14889236)

Better: Everyone uses HTML mail, so:

Begin prepended text HERE:

<!--

End prepended text HERE.

Begin Encrypted Body HERE:

We snatched the subject at building 232. Skyjack arrived at the field and extracted subject at 2200 hours, and headed 225 True north along evac corridor. Diverted to SSW 45 seconds later, avoiding ....

End Encrypted Body HERE.

Begin appended text HERE:

--> We're caught! Destroy the evidence... and kill Jack, that damned traitor!

End prepended text HERE.

Re:Bug Intentionally Placed? (1)

Phoe6 (705194) | more than 8 years ago | (#14889106)

Instead of using S/MIME method, which attaches the signature separately, would the old style --clearsign 'ing the message help? The clearsign hashes the content and displays the message inside a template with signature. Any new prepend or append inside would easily catch it as bad signature or when outside will lead the receiver to ignore it.

wrong (1)

penguin-collective (932038) | more than 8 years ago | (#14888289)

It's not the kind of bug that people would put in intentionally; it's more a conceptual error, made when trying to retrofit digital signatures into an email system not designed for it.

As to where it came from, you can check the version control log files; it's all there.

Re:Bug Intentionally Placed? (1)

shmlco (594907) | more than 8 years ago | (#14889326)

Yeah. And it's great that those thousands of open-source eyeballs caught it before... oh, wait.

Wonder... (-1, Redundant)

Saeed al-Sahaf (665390) | more than 8 years ago | (#14888048)

...how long the NSA has known about this?

Re:Wonder... (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14888087)

SiNceL YkE 19722222222222222222222222222222222222222222222222 222

hang on, i'll tell him (1, Funny)

Anonymous Coward | more than 8 years ago | (#14888058)


that GPG user lives downstairs i'll just tell him there is a problem

Debian unstable's got me covered (0, Informative)

Anonymous Coward | more than 8 years ago | (#14888070)

Since I use GnuPG to sign my e-mails (not that I believe anyone actually verifies the signatures, nor do I send any e-mails for which it would really matter all that much -- it just seems like good practice), I ran to check my version of GnuPG as soon as I saw the /. blurb.

1.4.2-2

Hmm. The -2 means that this is the second packaging of the 1.4.2 release. So it's been out for a while. Checking the changelog, I see that 1.4.2-1 was released 24 Sep 2005. My system would have gotten the update within a couple of days of that release date, so I got the fix nearly six months *before* the vulnerability announcement.

Can't complain about that!

Re:Debian unstable's got me covered. Um NO. (3, Informative)

Anonymous Coward | more than 8 years ago | (#14888129)

The parent AC is worng.
1.4.2-2 is not equal to 1.4.2.2, and it is older than 1.4.2.2
the -2 is the 2nd Debian modification of 1.4.2

Re:Debian unstable's got me covered. Um NO. (0)

Anonymous Coward | more than 8 years ago | (#14888187)

mod parent

actually not (2, Informative)

kelnos (564113) | more than 8 years ago | (#14888269)

Actually, 1.4.2-2 is the second *Debian* release of 1.4.2, probably to fix packaging bugs or minor bugs in the software that weren't yet available in an upstream release. 1.4.2-2 != 1.4.2.2. Debian users still need to upgrade when a new package is available.

even worse sometimes (0)

Anonymous Coward | more than 8 years ago | (#14888342)

I updated my compiler a while back and it actually claims to be 4.0.3 ,it should have been 4.0.2-1

software or data flaw? (1)

TheSHAD0W (258774) | more than 8 years ago | (#14888071)

Is this flaw in encoding or decoding? IOW, will the new version of GPG be able to sniff out modified signatures, or are all signatures made by old versions modifiable w/ no recourse?

Re:software or data flaw? (2, Informative)

Black Copter Control (464012) | more than 8 years ago | (#14888177)

no flaw in encoding or decoding..
The problem is in display. It displays the unencoded preamble and postscript inline with the (properly) verified parts of the email. You then, essentially, have to guess which is which.

Aha! (5, Funny)

evil agent (918566) | more than 8 years ago | (#14888081)

She thought she could get rid of me with that rejection via email. Now I've got reasonable doubt about her feelings. Until I get that court order, of course.

Re:Aha! (4, Funny)

Anonymous Coward | more than 8 years ago | (#14888233)

well, if you're lucky the court order will come by email too.

Shouldn't be a surprise... (3, Insightful)

Spy der Mann (805235) | more than 8 years ago | (#14888083)

remember how many versions of OpenSSH we have? And why do you think new versions were released? And why should GPG be any different?

Double Bag That Burger (4, Informative)

Doc Ruby (173196) | more than 8 years ago | (#14888138)

Another good recommendation is to diversify your crypto. Sign/encrypt your data with multiple different crypto algorithms in the same message. It's like network redundancy: the odds of both methods failing at once are equal to the product of the low, but significant, probability of either failing. A single failure doesn't ever compromise your data, and buys time to get a new second method that works.

Of course, sent messages can't be recovered for reprotection with the new second method. And eventually the other original method will be compromised, so the attacker can use the appropriate methods for each. But at least you've improved your security. Probably more than the next guy. Next lesson: when the bear is chasing y'all, you don't have to be the fastest; just not the slowest.

Re:Double Bag That Burger (0, Insightful)

Anonymous Coward | more than 8 years ago | (#14888230)

go take a class on cryptography

Re:Double Bag That Burger (-1, Redundant)

Doc Ruby (173196) | more than 8 years ago | (#14888334)

Go stick _Applied Cryptography_ up your 482d2721589499e5ad0c2e24bc6e7534 , Anonymous a0a0d7540b7cf3e9e78adfe611d816b9 Coward.

Re:Double Bag That Burger (0)

Anonymous Coward | more than 8 years ago | (#14888324)

RTFA. This has nothing to do with the crypto; your suggestions in this case would be useless.

Re:Double Bag That Burger (-1)

Doc Ruby (173196) | more than 8 years ago | (#14888439)

When people sign messages with both GPG and another signature method, the false positive produced by the GPG is cancelled by the true negative from the other method. My suggestion protects against protocol attacks, cipher attacks, and all kinds of other attacks, by guarding against a higher level of weakness that could include any of those.

Use your friendly head before lashing out in ignorance, AFC.

Re:Double Bag That Burger (5, Funny)

TPS Report (632684) | more than 8 years ago | (#14888332)

Another good recommendation is to diversify your crypto. Sign/encrypt your data with multiple different crypto algorithms in the same message.
That's an awesome idea. I'm going to start doing that right now! :P

This is a multi-part message in MIME format.
------=_NextPart_000_0012_01C22048.805E68 00
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit Test ------=_
NextPart_000_0012_01C22048.805E6800 Content-Type:
application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64 Content-Disposition:
attachment; filename="smime.p7s"</b>
MIAGCSqGSIb3DQEHAqCAMIAC AQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAo
IIKGDCC Ajww ggGlAhAyUDPPUNFW81yBrWVcT8glMA0GCSqGSIb3DQEBAgUAMF 8xC
zAJBgNVBAYTAlVTMRcwFQYD VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ
2xhc3Mg MSBQdWJsaWMgUHJpbWFyeSBDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0eTAeF
w05NjAxMjkwMDAwMDBa Fw0yMDAxMDcyMzU5NTlaMF8xCzAJ BgNVBAYTAlVTMRcwF
QYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3 MDUGA1UECxMuQ2xhc3MgMSBQdWJs aWMgU
HJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCB nzANBgkqhkiG9w0BAQEFAA
OBjQAw gYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIgu VzqKCbJF
0NH8xlbgyw0FaEGIea BpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzR
QR 4k5FVmkfeAKA2txHkSm7NsljXMXg 1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAAT
ANBgkqhkiG9w0B AQIFAAOBgQBLRGZgaGTkmBvzsHLm lYl83XuzlcAdLtjYGdAtND
3GUJoQhoyqPzuoBPw3UpXD2cnb zfKGBsSxG/CCiDBCjhdQHGR6uD6Z SXSX/KwCQ/
uWDFYEJQx8fIedJKfY8DIptaTfXaJMxRYyqEL2 Raa2Nrngv2U2k8LS12vc3lnWojX
RTCCAy4wggKXoAMCAQICE QDSdi6NFAw9fbKoJV2v7g11MA0GCSqGSIb3DQEBAgUAM
F8xC zAJBgNV BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1 UEC
xMuQ2xhc3MgMSBQdWJsaWMg UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0e
TAeFw05 ODA1MTIwMDAwMDBaFw0wODA1MTIy MzU5NTlaMIHMMRcwFQYDVQQKEw5WZ
XJpU2lnbiwgSW5jLjEf MB0GA1UECxMWVmVyaVNpZ24gVHJ1 c3QgTmV0d29yazFGM
EQGA1UECxM9d3d3LnZlcmlzaWduLmNv bS9yZXBvc2l0b3J5L1JQQSBJbmNv cnAuI
EJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/ VmVyaVNpZ24gQ2xhc3MgMS
BDQSBJ bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaW RhdGVkMI
GfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQC7WkSKBBa7Vf0DeootlE8VeDa4DU
qy b5xUv7zodyqdufBou5XZMUFweoFL uUgTVi3HCOGEQqvAopKrRFyqQvCCDgLpL/
vCO7u+yScKXbaw NkIztW5UiE+HSr8Z2vkV6A+Hthzj zMaajn9qJJLj/OBluqexfu
/J2zdqyErICQbkmQIDAQABo3ww ejARBglghkgBhvhCAQEEBAMCAQYw RwYDVR0gBE
AwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUF BwIBFh93d3cudmVyaXNpZ24uY29
t L3JlcG9zaXRvcnkvUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR 0PBAQDAgEGMA0
GCSqGSIb3DQEB AgUAA4GBAIi4Nzvd2pQ3AK2qn+GBAXEekmptL/bxndPKZDjcG5 g
MB4ZbhRVqD7lJhaSV8Rd9Z7R/ LSzdmkKewz60jqrlCwbe8lYq+jPHvhnXU0zDvcj
jF7WkSUJj 7MKmFw9dWBpJPJBcVaNlIAD9GCDl X4KmsaiSxVhqwY0DPOvDzQWikK5
uMIIEojCCBAugAwIBAgIQ BUy90AsJrAtbnO8CULdhXDANBgkq hkiG9w0BAQIFADC
BzDEXMBUGA1UEChMOVmVyaVNpZ24sIElu Yy4xHzAdBgNVBAsTFlZlcmlTaWdu IFR
ydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2ln bi5jb20vcmVwb3NpdG9y
eS9SUEEg SW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBA MTP1Zl
cmlTaWduIENsYXNzIDEg Q0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEg
Tm90 IFZhbGlkYXRlZDAeFw0wMTA3MTYw MDAwMDBaFw0wMjA3MTYyMzU5NTlaMIIB
FDEXMBUGA1UEChMO VmVyaVNpZ24sIEluYy4xHzAdBgNV BAsTFlZlcmlTaWduIFRy
dXN0IE5ldHdvcmsxRjBEBgNVBAsT PXd3dy52ZXJpc2lnbi5jb20vcmVw b3NpdG9y
eS9SUEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFRE KGMpOTgxHjAcBgNVBAsTFVBlc
nNv bmEgTm90IFZhbGlkYXRlZDEzMDEGA1UECxMqRGlnaXRhbCBJRC BDbGFzcyAxI
C0gTmV0c2NhcGUg RnVsbCBTZXJ2aWNlMRowGAYDVQQDFBFNaWNoZWwgSS4gR2Fsb
GFudDEfMB0GCSqGSIb3DQEJARYQ bmV1dHJvbkBpc3Rhci5jYTCBnzANBgkqhkiG9
w0BAQEFAAOB jQAwgYkCgYEArhVFIlTAjJT15fRb 5ApeSTR2qCHRTEd84dqW7vTUh
DMHmeW7yi2u9j22Ojvmguow Bhuss7Nb+nvx7zyXGC0DUjjRFDHa 1Zfb88MCcFIY4
TLrmsOKpuIgYA9/p96nMFrZ94ycklxJdf4q gDpsxfOX2IL6B697dLEaGrsJe0mg x
gECAwEAAaOCATgwggE0MAkGA1UdEwQCMAAwgawGA1UdIASB pDCBoTCBngYLYIZIAY
b4RQEHAQEw gY4wKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLm NvbS
9DUFMwYgYIKwYBBQUHAgIw VjAVFg5WZXJpU2lnbiwgSW5jLjADAgEBGj1WZXJpU2
lnbidz IENQUyBpbmNvcnAuIGJ5IHJlZmVy ZW5jZSBsaWFiLiBsdGQuIChjKTk3IF
ZlcmlTaWduMBEGCWCG SAGG+EIBAQQEAwIHgDAwBgpghkgB hvhFAQYHBCIWIDU2Nz
lmNWRkY2IwMjdiYTVlY2JlNDM4ODNm M2IxZjQ5MDMGA1UdHwQsMCowKKAm oCSGIm
h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5j cmwwDQYJKoZIhvcNAQECBQA
DgYEA T4VgN9GjbFMUl9M4KSBnpn++i7QLZt1oQMXfVySIzIFxwBVlxN eG8Lnnij8
JEtHR69BaLmzJC0mH HfDiS1dlqX5cADfKNI921HjTdNy5c1cgLQ9LLp6CRnX39ah
k CtCp5i7TlvSdw42Gf+bWNGifNfxI 8JQ4t3e0L8l+IaeG2h0xggJFMIICQQIBATC
B4TCBzDEXMBUG A1UEChMOVmVyaVNpZ24sIEluYy4x HzAdBgNVBAsTFlZlcmlTaWd
uIFRydXN0IE5ldHdvcmsxRjBE BgNVBAsTPXd3dy52ZXJpc2lnbi5j b20vcmVwb3N
pdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJ QUIuTFREKGMpOTgxSDBGBgNVBAMT
P1ZlcmlTaWduIENsYXNz IDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvb
mEg Tm90IFZh bGlkYXRlZAIQBUy90AsJrAtbnO8CULdhXDAJBgUrDgMCGgUAoI G6M
BgGCSqGSIb3DQEJAzELBgkq hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAyMDYzM
DE5MTIw OFowIwYJKoZIhvcNAQkEMRYEFEsU ojJZ7zb2jyeLK36X+8NFEY05MFsGC
SqGSIb3DQEJDzFOMEww CgYIKoZIhvcNAwcwDgYIKoZIhvcN AwICAgCAMA0GCCqGS
Ib3DQMCAgFAMAcGBSsOAwIHMA0GCCqG SIb3DQMCAgEoMAcGBSsOAwIdMA0G CSqGS
Ib3DQEBAQUABIGArKLcgRxQAyuy92T6WHKZwXsQdXeE FlUOQBiAqwkn2V3r4iwnWH
LlcCLW 0VBPfQTO1+NjxbcE2wQ8mVCdiK7gqA9LSoJLP8pjdtF2k/AgHi jxB/ELzr
HD1SmuVCX5ypkHl8Bk dJc/xuc/vxQ4XJtWZfd415pR5GZ1KcbHDDbjcBsAAAAAAA
A= ------=_NextPart_000_0012_01C22048.805E6800--
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey. Where do you want to eat lunch today?

-----BEGIN PGP SIGNATURE-----
iZIVAwUBQuV2FUoKgUld5ID8AQMh6A/+M9FQFmQFNd9DqYKmRN sTEbN407wi6otT
/HbA9I4xa9jmQmbuxV4KlWwIHa+OnjFyPg bpElDwAzba/nORMgNQwAzZ0pDR5HYI
zJsiJi0juos40XqSVl PhjQc7rhx3r0LrMg8Ewrlr28E7Bry4ymOYMvwnN91gUqHa
4t LROELXTs3jnypJc9dU+Jyy3JeMc8ivFrTq77007FplvbB0q/fj 80uYxEq8c3/o
9E0P1sMZ8bmUhgLWEf+UyeaPRTpWsbvB56ad RmG11+7ReXhXTMT48CvMOsemU+C5
DZ323K6yWBhOoMgYEdeO 5zCcDJOYPG0lFbHWxgXnO9+ig4BmlMPj7HqnhrksV/Fm
zG0J 4h9GEeRQKA4ecz1uAqrLttZbZgaykOMdadvwPvpbDSQuX97NOX bXUJdXCFbK
BXahHj2ZSMet8yDHH7t00fYXe6tw/WD7n1Ts7q PZCYsi0OAxJrlLsQtjNi/BeYJR
W6jcBg5ktNA0Fph5L86giS rV3xeNRS0zaotH3V6/hsA0132BasExrVpazDrl19ke
9OcUum V5kWBXLniq96YHToAWV7ZQC7be/Z4ETEPgn5cZop+ccW8/RLaf pXuRDe1g
vs3PvF74fk3rY3HLsn8gb0xvb955VNnbIF01JRAO nxxHDfk2tAyNpWak308d4Of2
BXahHj2ZSMet8yDHH7t00fYX e6tw/WD7n1Ts7qPZCYsi0OAxJrlLsQtjNi/BeYJR
W6jcBg5k tNA0Fph5L86giSrV3xeNRS0zaotH3V6/hsA0132BasExrVpazD rl19ke
BXahHj2ZSMet8yDHH7t00fYXe6tw/WD7n1Ts7qPZCY si0OAxJrlLsQtjNi/BeYJR
vs3PvF74fk3rY3HLsn8gb0xvb9 55VNnbIF01JRAOnxxHDfk2tAyNpWak308d4Of2
hEUMvOXvsF 0=
=K4aR
<b>-----END PGP SIGNATURE-----</b>

Re:Double Bag That Burger (0, Offtopic)

tacolicker (924348) | more than 8 years ago | (#14888949)

z0mG u R t3h 1337z0rz!!!!!!!!!!11!!~!~!0~!@!~1337z0rz!@!@! die fucktard nigger.

Re:Double Bag That Burger (5, Funny)

LS (57954) | more than 8 years ago | (#14889033)


How in the F*** did THAT make it through the lameness filters?!

Re:Double Bag That Burger (1)

larry bagina (561269) | more than 8 years ago | (#14888376)

you can also bzip2 your gzip files to improve your compression.

Re:Double Bag That Burger (1)

Doc Ruby (173196) | more than 8 years ago | (#14888469)

Actually, sometimes compression methods can squeeze extra reductions when used in series. But that's not a defense against failure - though the compression phase of most encryption methods might see that extra reduction as a bonus. The point is not just to make the encrypted message "more encrypted", but to guard against the eventual failure of one of the methods. The odds of both methods failing within a short time period are very odd indeed.

Triple bag it (2, Informative)

Anonymous Coward | more than 8 years ago | (#14888381)

"For instance, the use of double encryption does not provide the expected increase in security [MH81] when compared with the increased implementation requirements, and it cannot be recommended as a good alternative. Instead, triple-encryption is the point at which multiple encryption gives substantial improvements in security."

From http://www.x5.net/faqs/crypto/q85.html [x5.net]

Re:Triple bag it (0)

Doc Ruby (173196) | more than 8 years ago | (#14888460)

Any increase is valuable, its value depending on the total data protected by the total effort over time. Increased implementation requirements can be met by automation, which cost must as always be compared to its benefit.

However, the principle in that FAQ is sound within its scope. In combination with the consideration I mention, the right approach is to use as many redundant methods as possible given costs, network and processing bandwidth.

Again, the redundancy operates on exactly the same principle as the more familiar network redundancy. The second method is the biggest increase in utility, though going to redundancy in that step might also bring the biggest increase in cost. But the variety of failure scenarios against which redundancy protects has proven worth the effort for every serious practitioner, once the methods are commodities.

Aha! (0, Flamebait)

jav1231 (539129) | more than 8 years ago | (#14888200)

Maybe Apple will finally appoint a Security Czar and take care of these flaws and all you Apple Fanboys....oh wait...

LOL GNU (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14888226)

LOL

shock! (1)

Anonymous Coward | more than 8 years ago | (#14888253)

So a bug was discovered in the older versions of an open source software and if you have a recent update, you are not affected? Really, stuff that matters, I am shocked and surprised!

Oddly enough (1)

Orion Blastar (457579) | more than 8 years ago | (#14888284)

I tried the Windows version of GNUPG and it refuses to recognize any public or private keys that it generates or that I imported from PGP. I counted on using it after switching to Thunderbird, but GNUPG broke and the updates do not seem to fix it. Maybe it has issues with XP SP2, NTFS or something?

Ah well, maybe I can install it on my Linux machine?

Re:Oddly enough (1)

mikeswi (658619) | more than 8 years ago | (#14888848)

It may already be on your Linux machine. My SuSe machine had it preinstalled and there is a KDE GUI front end that works almost exactly like PGP from pgp.com. Enigmail works fine with it along with T-bird, although it broke HTML by changing a config setting. I had to run that problem down and fix it [mikehealan.com].

Someone should get fired (3, Funny)

Yoik (955095) | more than 8 years ago | (#14888295)

That information should never have been released! The negative press will impact sales. It would have been better to pretend the bug never existed.

Oh, it isn't corporate product, nevermind.

Re:Someone should get fired (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#14888345)

Oh but wait!!! I thought the idea behind all those millions of pairs of eyes scrutinizing every character of source code was to prevent security BUGS. Wait, forgot for a moment where I was: The land of MS Bad (always), OSS Good (always). If this was fixed so long ago (as other posters suggest), then why is it just now becoming news to alert others to update their software? Wait 'til the press hears about this. All those poor Linux/OSS home users, who are they gonna call to sort this out?

Re:Someone should get fired (0)

Anonymous Coward | more than 8 years ago | (#14889286)

Oh but wait!!! I thought the idea behind all those millions of pairs of eyes scrutinizing every character of source code was to prevent security BUGS.

Which is exactly what happened, the system works.

check.. (4, Funny)

dotpavan (829804) | more than 8 years ago | (#14888301)

did anybody cross-check the authenticity of that warning? I wont accept that until I verify its GPG key :)

Re:check.. (1)

afaik_ianal (918433) | more than 8 years ago | (#14888516)

Yep, here's the signed version of the summary:

A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. All versions of gnupg prior to 1.4.2.2 are affected, and it is thus recommended to update GnuPG as soon as possible to version 1.4.2.2.

Please disregard the remainder of this email.
-----BEGIN PGP SIGNED MESSAGE-----
Joe,
Are you coming to the pub tonight?
Ben.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (Darwin)
Comment: http://www.rbisland.cx/publickeys.html [rbisland.cx]

rpehy49gx,[09bglCRGBLYCG>L93074bio.crpkx,.crlp,
lrcgbkp,l94bk,94gbxklbxoxbmopkbggbk/lr,=
=fUm/
-----END PGP SIGNATURE-----

Short explanation if you're too lazy to RTFA (4, Informative)

sidney (95068) | more than 8 years ago | (#14888311)

The bug allows someone to take a signed GPG message, stick in their own unsigned message in a certain way, and GPG will show you the combined message or even just the new message, but tell you that it is signed by the person who signed the original message.

If you read the message using the new GPG 1.4.2.2 it will correctly not accept the hacked message. So if you have any question about signed mail you received, you can check it again after upgrading GPG.

The bug only affects embedded signatures, such as in email messages using inline signatures or signed encrypted email. I think that excludes PGP/MIME signed unencrypted email, which is a common format for signed mail and would be a form of detached signature.

The bug does not affect "detached signatures", which are the kind that are used to verify software downloads, which means it could not have been used to hack yum, apt-get, etc.

All in all, not a big security flaw unless someone takes a signed email that you sent them, forges a GPG signed request to your domain registrar to transfer your million dollar domain name to them, and your registrar hasn't yet updated to GPG 1.4.2.2. Whoops -- if you upgrade GPG right now, it wouldn't help in that scenario.

Security Flaw Discovered in GPG? (2, Interesting)

NullProg (70833) | more than 8 years ago | (#14888331)

Shouldn't this read Security Flaw Discovered for users of GPG ?

I'm guessing, but 95% of computing world doesn't use GPG. And isn't this a "Man In the Middle" attack? How many routers have been compromised that I need to worry about this?

Are my GPG encrypted messages to the kremlin, CIA, or FBI less secure? Are my "lovey-dovey, are you naked" messages to my wife compromised? Thats about all I use GPG for.

Enjoy.

Well... (2, Informative)

jd (1658) | more than 8 years ago | (#14888556)

It is true that 95% of users don't use GPG, but I'd regard that as a flaw in and of itself. Mind you, most e-mail programs (including, IIRC, thunderbird) don't support GPG, although some do support a limited range of digital certificates.


Does it make the e-mails less safe? No. First, the flaw is for adding material, not reading it. Second, it's for signing, not encryption per-se. It DOES mean that you cannot trust e-mail for commercially sensitive transactions, but nobody should be trusting e-mail for that anyway.


Does it affect routers or the infrastructure of the Internet? Only insofar as domain registrars never validate change requests properly. A carefully-crafted attack could use this to append a change-of-IP request to some ISP's routine request to a registrar, which means an attacker could create a phony DNS server for the express purpose of polluting the DNS namespace. If the registrar uses GPG's validation as proof of a legit request (and some are quite happy with a fax with no proof of origin at all) then it could have an impact.


Is this a likely scenario? No. The problem with lack of validation has been around for decades and has been used by cybersquatters and porn merchants, but never (as far as I know) for Black Hat activities. The lack of any significant effort has never been due to security. My best guess is that it's due to skript kiddies being clueless. Which is just as well. If demonstrable and simple exploits aren't being used to cause catastrophic levels of mayhem, then I think we're pretty safe against this somewhat more sophisticated vulnerability requiring (as you coorectly point out) a MitM attack.

Re:Well... (4, Insightful)

slavemowgli (585321) | more than 8 years ago | (#14888632)

It DOES mean that you cannot trust e-mail for commercially sensitive transactions, but nobody should be trusting e-mail for that anyway.

I don't mean this to come across as flamebait, but that's one of the stupidest comments I've read on Slashdot today. You could just as well - and with the same justification - say that telephones shouldn't be used for conducting business (all business consists of commercially sensitive transactions, mind you), or that letters shouldn't be used, that the postal services can't be trusted, that pens and paper shouldn't be used for writing down contracts, and so on.

All these things, just like email and just like GPG, are tools. Tools, like everything, are fundamentally insecure, at least theoretically; there is no absolute security. But you can minimise risks by using tools the right way, by making sure that malfunctions don't lead to a cascade of further malfunctions, and - maybe most importantly - by *realising* and *keeping in mind* that nothing is ever perfectly secure. If you do that, you can use email for sensitive things just like you can use the phone network or the postal services or direct face-to-face communication; you merely have to be aware of the risks and how to manage/minimise them.

Panicking and crying "email is never secure!" isn't going to get you anywhere, really. You're just limiting yourself to other means of communication which are basically just as secure or insecure as email is, and given that statement, chances are you haven't really understood how security works, anyway, so you're probably less secure no matter what you do.

Telephones (1)

jd (1658) | more than 8 years ago | (#14888932)

You're correct that it's like saying telephones shouldn't be used by businesses. Indeed, I'm rather surprised that telephones are still used for such transactions, when bugging telephones is not difficult and apparently quite common. The military use "STUs" (Secure Telephone Units) that use strong encryption - probably in a manner very similar to GnuPG - for all sensitive communication.


With the advent of VoIP, crypto chips that you can buy off the shelf, etc, it would neither be difficult nor unreasonable for businesses to support extremely secure lines of communication. Five, ten, years ago, it wasn't realistic to expect much in the way of particularly strong protection of communications. These days, the reverse holds true. It is no longer reasonable to expect businesses to maintain insecure lines of communication, simply because they always have done.


"Absolute security" is one of those terms that gets banded about by cryptoraphy experts but it has no clear definition. It's easy to show that an undefined goal can't be reached!


Let us start with a reasonable definition of "absolute security": The message, if intercepted, cannot be brute-forced, as it is impossible to distinguish between valid and invalid decryption attempts, AND the valid key cannot be intercepted or stolen, AND the message cannot be tampered with, AND the message must not be repudiatable.


Part 1 is easy to achieve. You use a strong compression algorithm to essentially pre-randomize the data. Part 2 uses a stored copy of a natural, totally random source as the key for a One Time Pad to encrypt the data. Part 3 is to use a public-key encryption system with partial decryption keys (ie: no one person has enough of a key to decrypt the message, but perhaps two together or three together would). The encryption mode (how the key shifts between blocks) needs to be authenticating and validating. NIST have specifications for such modes.


Now, if attacker A breaks into a person's house and lifts their partial key and the OTP, they can do what? The OTP will apply perfectly well to a corrupt message, so every possible attempt to break the public key will have equal likelihood of being correct, making it useless.


Is this far too much for a typical business? Sure. The question I answered was not whether it would be practical, but whether it would be possible. I believe I have demonstrated here that it would be possible, although I can think of no way to make it practical.


What, then, is practical? STU phones, or a reasonable facsimilie using a stream cipher and VoIP, along with virtually private messaging. ie: where some combination of strong authentication, strong validation, strong encryption, and VPN tunneling, is used to create an enviornment in which unauthorized individuals would find it impractical to identify the type of communication and would not likely be able to determine the contents within the meaningful lifetime of said contents.


If you can meet these criteria - and it shouldn't be hard - then security may not be "perfect" in an absolute sense, but the liklihood of an intercept or a false message would be so close to zero in the next 20-30 years that unless you're dealing with national secrets, this would give you as close to perfect security as you need.


NB: Since breaking into machines and installing keyloggers and event loggers is possible, I'm assuming both primary parties are using systems that are as hardened against direct attack as OpenBSD, and would meet a significant portion of the old Orange Book B3 standard.


Red Hat Enterprise 5 is being evaluated for the following: EAL 4 Augmented with ALC_FLR.3, Controlled Access Protection Profile (CAPP) Version 1.d, Labeled Security Protection Profile (LSPP) Version 1.b, Role Based Access Control Protection Profile (RBACPP) Version 1.0. There are probably hardening patches out there - not to mention some excellent crypto hardware - that can improve the results further. Two systems like that, at the end points, with the best encryption methods in public use, is simply not going to be on anyone's list of targets, which means that it is de-facto absolutely secure, even if it is not literally so.

Re:Well... (2, Interesting)

NullProg (70833) | more than 8 years ago | (#14888682)

It is true that 95% of users don't use GPG, but I'd regard that as a flaw in and of itself. Mind you, most e-mail programs (including, IIRC, thunderbird) don't support GPG, although some do support a limited range of digital certificates.

I agree. But again, the way I read the alert, isn't this a "Man In the Middle" attack?

Does it affect routers or the infrastructure of the Internet? Only insofar as domain registrars never validate change requests properly. A carefully-crafted attack could use this to append a change-of-IP request to some ISP's routine request to a registrar, which means an attacker could create a phony DNS server for the express purpose of polluting the DNS namespace. If the registrar uses GPG's validation as proof of a legit request (and some are quite happy with a fax with no proof of origin at all) then it could have an impact.


If your able to effect routers on an ISP infrastructure then were not talking script kiddies. We all know DNS hijacking. To do what your talking about requires leet skillz. Maybe I could, you possibly could, but how many others? How secure is GPG against an amatuer?

BTW: my parent post is marked as Troll. Some idiot has moderator points.

Thanks for the response.
Enjoy.

Re:Well... (4, Informative)

lspd (566786) | more than 8 years ago | (#14888972)

I agree. But again, the way I read the alert, isn't this a "Man In the Middle" attack?

It's a replay attack. I take a very terse/vague signed message that you've written and append important evil data to the front or back and resend it. The signature checks out and the meat of the message (the stuff I've added on to the front or end) appears to come from you.

This sort of problem has come up before in other contexts. When you sign an email, for example, it's doesn't include the headers or date. If your signed message is general enough, I can copy it and send it to someone else (GPG signatures verify the sender, not the recipient.) One of the situations where this has come up is in the Debian voting process. If a DD mistakenly sends their ballot to the wrong person, then changes their vote, anyone who has a copy of the old ballot can send it again and change the vote back. Debian safeguards against this by allowing each DD to see how their vote was cast after the vote is complete.

Re:Well... (1)

mikeswi (658619) | more than 8 years ago | (#14888868)

"Mind you, most e-mail programs (including, IIRC, thunderbird) don't support GPG"

The Enigmail extension for T-Bird works as a front-end to GPG. I don't know if it can work with GPG in any other way.

Re:Well... (2, Informative)

DrXym (126579) | more than 8 years ago | (#14889264)

The Enigmail extension for T-Bird works as a front-end to GPG.

And very well it works too. I've been using it to communicate with someone who insists on encrypting their mail and it works fine. The biggest problem with it is that it somewhat assumes a familiarity with GPG in the first place to import keys and so on.

It works much better than SMIME which apps like Mozilla, Outlook Express have supported natively for years. SMIME is close to being unusable. It's not those app's faults (although the companys are partly to blame for adopting the standard). It's just that getting a cert for email is like extracting teeth and the encryption is horribly slow and bloated.

Re:Security Flaw Discovered in GPG? (1)

oglueck (235089) | more than 8 years ago | (#14889235)

GPG is commonly used to sign source code tarballs such as the linux kernel. Those tarballs are mirrored across the world to hundreds of untrusted servers. With this flaw it's possible to modify signed source code (and introduce backdoors for instance). It's definitely not a theoretical problem.

Damn Microsoft!! (4, Funny)

Anonymous Coward | more than 8 years ago | (#14888335)

I'm tired of their insecure crap! Oh wait, its GNU open source? In that case, you lazy bastard end users should have fixed it yourself!
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...