Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Flaw Discovered in GPG

Posted by ryuzaki0 on from the enemy-within dept.

WeLikeRoy writes "A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. It is possible for an attacker to take any signed message and inject extra arbitrary data without affecting the signed status of the message. Depending on how gpg is invoked, it may be possible to output just faked data as several variants of this attack have been discovered. All versions of gnupg prior to 1.4.2.2 are affected, and it is thus recommended to update GnuPG as soon as possible to version 1.4.2.2."

3 of 151 comments (clear)

  1. Shouldn't be a surprise... by Spy+der+Mann · · Score: 3, Insightful

    remember how many versions of OpenSSH we have? And why do you think new versions were released? And why should GPG be any different?

  2. Re:Well... by slavemowgli · · Score: 4, Insightful

    It DOES mean that you cannot trust e-mail for commercially sensitive transactions, but nobody should be trusting e-mail for that anyway.

    I don't mean this to come across as flamebait, but that's one of the stupidest comments I've read on Slashdot today. You could just as well - and with the same justification - say that telephones shouldn't be used for conducting business (all business consists of commercially sensitive transactions, mind you), or that letters shouldn't be used, that the postal services can't be trusted, that pens and paper shouldn't be used for writing down contracts, and so on.

    All these things, just like email and just like GPG, are tools. Tools, like everything, are fundamentally insecure, at least theoretically; there is no absolute security. But you can minimise risks by using tools the right way, by making sure that malfunctions don't lead to a cascade of further malfunctions, and - maybe most importantly - by *realising* and *keeping in mind* that nothing is ever perfectly secure. If you do that, you can use email for sensitive things just like you can use the phone network or the postal services or direct face-to-face communication; you merely have to be aware of the risks and how to manage/minimise them.

    Panicking and crying "email is never secure!" isn't going to get you anywhere, really. You're just limiting yourself to other means of communication which are basically just as secure or insecure as email is, and given that statement, chances are you haven't really understood how security works, anyway, so you're probably less secure no matter what you do.

    --
    quidquid latine dictum sit altum videtur.
  3. Re:Not a fundamental flaw. by xquark · · Score: 3, Insightful

    yeah you did, the signing would also include the part " -- Boss" within the signature,
    ergo the injection you proposed would not be valid and hence would be rejected
    by the signature verification process.

    try and add something before or after the actual e-mail message and see how much sense
    it would make to someone reading it...

    Arash

    --
    Arash Partow's Philosophy: Be a person who knows what they don't know, and not a person who doesn't know.