GnuPG's ElGamal Signing Keys Compromised

KjetilK writes "Werner Koch just sent an announcement saying that there is a severe bug in GnuPG >= 1.0.2 that makes it easy to compromise ElGamal keys used for signing. Note that such keys are not generated by GnuPG's standard setup, and should be relatively rare. Among the 850 public keys in my personal keyring, there were only one such public key (and a few subkeys). There is already a patch available to disable these keys."

My key was one of the 850 keys

[quigonn]

Fortunately, Werner Koch informed me yesterday already (I got the email at some time in the morning), so I had plenty of time to create a new key, sign it with the old one, and revoke the old one.

Of course, this had one disadvantage: since the old key is potentially compromised, I cannot really trust in my web of trust anymore. :-/

Re:open source in crisis?

[ajs318]

So instead of choosing a product that was all out in the open, and where he could have audited the code for himself, your boss went for a closed-source product where he wasn't allowed to open it up and check how it worked and furthermore couldn't be sure there wasn't already a serious security vulnerability put there by Microsoft.

Hiding your source code does nothing to help your security. If a programme is written securely, you can publish the source code and nobody will be able to crack it. If a programme is not written securely in the first place, the source code might make it a little easier to crack; but the chance that someone will crack it "accidentally" is independent of whether or not they have seen the source code. And published source code is subject to continuous audit. Which is precisely why we see vulnerabilities in open-source software ..... there is just no way to keep them secret. They appear, they get fixed, it is really not a big deal. Closed-source software can harbour vulnerabilities for a long time before anybody has reason to sort them out. If only a few people are suffering, it's easy for a large corporation like Microsoft to weasel out of fixing a "minor" problem ..... at least, until it gets to the point where they can no longer blame the customer anymore .....

Your boss seriously needs to learn about the disinfectant power of daylight. Either that, or you're a troll. Considering that installing and configuring Apache consists of typing apt-get install apache in a root xterm, I suspect the latter.