Forgot your password?
typodupeerror

Security Flaw Discovered in GPG 151

Posted by CowboyNeal
from the enemy-within dept.
WeLikeRoy writes "A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. It is possible for an attacker to take any signed message and inject extra arbitrary data without affecting the signed status of the message. Depending on how gpg is invoked, it may be possible to output just faked data as several variants of this attack have been discovered. All versions of gnupg prior to 1.4.2.2 are affected, and it is thus recommended to update GnuPG as soon as possible to version 1.4.2.2."
This discussion has been archived. No new comments can be posted.

Security Flaw Discovered in GPG

Comments Filter:
  • Oh no! (Score:4, Funny)

    by MyLongNickName (822545) on Thursday March 09, 2006 @10:24PM (#14888032) Journal
    A serious security issue in GPG! We are all doomed!

    what is GPG?

    Yeah, I will go RTFA. However, summaries that assume you are familiar with an acronym are rude, IMHO ;)
    • by aprilsound (412645) on Thursday March 09, 2006 @10:34PM (#14888075) Homepage
      From TFA:
      The attack is to change a standard message to inject faked data (F). A simple case is this: F + O + D + S gpg now happily skips F for verification and does a proper signature verification of D and if this succeeds, prints a positive result. However when asked to output the actual signed data it will output the concatenation of F + D and thus create the impression that both are covered by the signature.

      So this is a simple mistake made by GPG, in an effort to coexist well with email and the like.

      In other words, GPG looks at an email message and sees headers and the like. Of course, the headers were not signed (just the message), so GPG skips them and when it encounters the signed message, it begins to verify the signature.

      So, if you are an attacker, you insert something before or after the signed message, and when GPG goes to verify it, the signed message passes, but GPG nicely prints out the whole message for you, instead of just the signed part. Oops, not a big deal, encryption isn't broken, in fact this is just an application bug.

      • by bazald (886779)
        ...as it is already designed to tell you precisely what part of the e-mail is signed. Is there a more convenient way to handle GPG for e-mail than enigmail anyway?
      • Sorry, but this like a big deal to me. The whole point of digital signatures is that you can know exactly what has been signed by the signer -- and be sure that nothing has been added and removed on the way. Consider this e-mail:

        From: BOSS@CORPORATE.COM
        To: MIDDLEMANAGER@CORPORATE.COM
        Subject: Employee Burt Reynolds

        That's a fine lad! Let's give him a raise!

        -- Boss

        GPG SIGNATURE VERIFIED: BOSS@CORPORATE.COM


        Now, this message can be intercepted and a new part inserted before the actual message body,
        • yeah you did, the signing would also include the part " -- Boss" within the signature,
          ergo the injection you proposed would not be valid and hence would be rejected
          by the signature verification process.

          try and add something before or after the actual e-mail message and see how much sense
          it would make to someone reading it...

          Arash

          • try and add something before or after the actual e-mail message and see how much sense
            it would make to someone reading it...


            Huh. That's exactly what I did. Note that the message body is not altered. And that the mail headers (From, To, Subject) are separate from the message body. The inserted text is inserted just before the actual e-mail message body.
        • But if I understood correctly, GPG doesn't include the headers in the signature; so even without this bug, you could just change the subject to refer to Foo Bar.

          Tricky business, security is :(.

    • by baomike (143457) on Thursday March 09, 2006 @10:35PM (#14888079)
      Sound like a movie rating.
    • GPG is: (Score:4, Informative)

      what is GPG?

      GPG stands for Gnu Privacy Guard. It's the Free(tm) replacement for PGP (Pretty Good Privacy) which was originally developed by RSA. Between them, they are one of the standards for encryption and verification of sensitive data (including email).

      As opposed to X509/SSL which seems to be designed for centralized trusted certificate issuers, GPG/PGP depend on a (decentralized) web of trust -- You decide which signatures you wish to trust, and then those signatures can be used to signify who they trust... If you have enough trust in the signature web for a public key you have for someone, then it is presumed that the key is trustable.

      GPG seems to be supported by people who include some serious heavyweights in the encryption community.

      IANASE (I am not a security expert), so any corrections to this explanation would be much appreciated)

      • Re:GPG is: (Score:3, Informative)

        by Zeinfeld (263942)
        GPG stands for Gnu Privacy Guard. It's the Free(tm) replacement for PGP (Pretty Good Privacy) which was originally developed by RSA.

        Given the lawsuits that RSA filed to stop PGP this statement could hardly be more wrong. Phil Zimmerman developed PGP as freeware, then released a commercial version of his code and reclaimed the name. GPG is a name chosen to describe the free version.

        This crack is not particularly new, the first version of PGP had the problem. The only part of the message that is secure i

        • Re:GPG is: (Score:3, Informative)

          by Rikus (765448)
          GPG is a name chosen to describe the free version.
          This sentence is neither informative nor funny.

          No, GnuPG [wikipedia.org] is not the same as PGP [wikipedia.org]. GnuPG was in fact developed to replace PGP, both because PGP is covered by a non-commercial use only license, and (probably) because it by default incorporates the patented IDEA algorithm. Yes, PGP Freeware and GPG are both free and interoperable, but they are not the same thing.
          • Re:GPG is: (Score:3, Informative)

            by Zeinfeld (263942)
            No, GnuPG is not the same as PGP. GnuPG was in fact developed to replace PGP, both because PGP is covered by a non-commercial use only license, and (probably) because it by default incorporates the patented IDEA algorithm. Yes, PGP Freeware and GPG are both free and interoperable, but they are not the same thing.

            The full story is a bit more complex. The original PGP used a lot of patented stuff only Phil Z. did not bother to get a license for any of it. This led Jim Bizdos to complain about the patent inf

      • Re:GPG is: (Score:5, Informative)

        by Martin Blank (154261) on Friday March 10, 2006 @12:08AM (#14888507) Journal
        It's the Free(tm) replacement for PGP (Pretty Good Privacy) which was originally developed by RSA.


        No, PGP wasn't developed by RSA; RSA had nothing at all to do with PGP's development. Use of the RSA asymmetric encryption algorithms has been in use since early versions, but PGP itself was developed by Phil Zimmerman, who got into a patent battle with RSA over his use of the algorithm without their permission (although patent co-holder MIT didn't have a problem with it, complicating the situation). A deal was eventually worked out, and the RSA algorithms have been in ever since.
        • Re:GPG is: (Score:2, Funny)

          by realbadjuju (870896)
          Mod parent up, since he's right...
        • Re:GPG is: (Score:3, Informative)

          by Chapter80 (926879)
          Correct about Phil Zimmerman, and his battles with RSA. Phil also got in trouble with the NSA (National Security Agency branch of the US Government) for the release of PGP. It was a bold move by Phil for the freedom of the software around the world, and he's a freedom hero in my book.

          Back then (early '90s), simple encryption SOFTWARE was considered a munition, similar to if he snuck an atom bomb out of the country. The software was "released" onto the evil internet (perhaps not even by Phil), and as I

          • Re:GPG is: (Score:4, Interesting)

            by Martin Blank (154261) on Friday March 10, 2006 @11:40AM (#14890833) Journal
            Not as bad as an atom bomb, but classified along with, say, machineguns and antitank rockets. The software actually got out of the country legally by way of printing it in book format (which was not considered software at the time) and then scanning it in another country and using character recognition and a good deal of editing time to get it to compile properly.

            This was also a primary catalyst for the argument of how strong exportable encryption should be, and which brought the encryption debate out into the public eye. Had he not done this, we might be a few years behind our current status, just having finished accepted the appropriateness of exporting heavy encryption.
    • Re:Oh no! (Score:5, Interesting)

      by Anonymous Crowhead (577505) on Thursday March 09, 2006 @11:38PM (#14888367)
      It's funny. Back in the day, when Slashdot was cool, almost everyone would know what GPG was. Most of the articles were like this one. Cool stuff about cool technology. Not politics (aside from GNU) and all the other crap like the "new mouse/keyboard techonolgy of the week" adverts that permeates Slashdot these days.
    • Re:Oh no! (Score:3, Funny)

      by pete-classic (75983)
      What the fuck is an IMHO, and what does it have to do with a RTFA?

      -Peter
  • Whew! (Score:5, Funny)

    by suso (153703) * on Thursday March 09, 2006 @10:25PM (#14888037) Homepage Journal
    Its a good thing I don't use GPG to sign my emails. Oh wait.
    • Mails signed with GPG are fine. It's mail that's verified with GPG that can be forged.
    • Re:Whew! (Score:5, Funny)

      by Anonymous Coward on Friday March 10, 2006 @12:31AM (#14888598)
      I have been publishing my GPG key for over a year now and I have yet to have anyone send me an encrypted email. I feel really lonely and unpopular. I'd even read encrypted penis enlargement spam if someone would be thoughtful enough to send me some.
      • Re:Whew! (Score:2, Insightful)

        If you had published your email, I'm sure you'd have 500 encrypted "Hello, world!" emails from other Slashdot readers.

      • Probably, the people you deal with are less technical than you are. I sign all my outgoing emails anyway in an attempt to get people to consider using it, and still get very few encrypted emails also. When I do get one, the person is usually geekier than I am.

        I always have wondered why the spammers aren't using the database of PGP/GPG keys to send spam too. Maybe they are, but obviously aren't willing to sign it for computational reasons, even with a phony key.

      • I have been publishing my GPG key for over a year now and I have yet to have anyone send me an encrypted email.

        The poster was being funny but he does have a serious point. Adoption of GPG is most probably not very high. My guess as to why is the high degree of knowledge required to use GPG. When creating a key, the user is asked a lot of questions the answer, to which, he or she most probably doesn't know without a fairly good understanding of asynchronous encryption technology and PKI [pki-page.org]. Key management i

      • I've never gotten encrypted email, but I've dealt in both directions with encrypted documents, often attached to unencrypted emails. Email in my experience is rarely all that important to keep private (I think 90% of the email I get also goes into public mailing list archives), and when it contains anything important, it tends to be an attachment anyway. Of the exceptions, they're almost all cases where the sender is an automated system that hasn't heard of you before (e.g., online hotel reservations), and
      • Funny, but curiously enough fake PGP/MIME attachments are used by spammers, because older versions of SpamAssassin foolishly increased the score of messages with a signature attachment. This, regrettably, led to the situation of some misguided spam-filtering companies blocking messages with signatures, further hindering adoption.

  • For all the tinfoil hat people out there, I propose that the bug may have been placed intentionally, since GnuPG is, in fact, an opensource community project. So instead of taking hours to obtain a GPG key, the NSA could spend seconds and impersonate an otherwise [strike]paranoid[/strike] privacy-oriented person in typically confidential memos. Maybe a full accounting as to when the bug got there, how it got there, who put it there and the chances of it being purely human error are to be demanded? After

    • by Saeed al-Sahaf (665390) on Thursday March 09, 2006 @10:29PM (#14888057) Homepage
      The NSA secretly seeding Open Source with ingeniously crafted back doors? Never! Not our NSA...
    • by Anonymous Coward
      After all, some people (including myself) have invested some very expensive stakes in the security of GnuPG over the years.

      Ah ha. And how many times did you personally verify the source before you trusted it?
    • by aprilsound (412645) on Thursday March 09, 2006 @10:44PM (#14888118) Homepage
      So instead of taking hours to obtain a GPG key, the NSA could spend seconds and impersonate an otherwise [strike]paranoid[/strike] privacy-oriented person in typically confidential memos.

      I realize this is a joke, but just so everyone knows, a little bit of scrutiny would expose a faked message.

      If you RTF Mailing List, you will see that the "attack" only allows someone to append or prepend data to the signed message, and then the augmented message is only displayed the way it is because of an application bug in GPG.

      No fundamental algorithm is broken, no one has discovered a way to cause collisions. In fact, if you tried to independently verify the signature of the message against the augmented message, it would fail.

      What happens is that GPG skips text that is not part of the signed message, such as email headers and the like, then verifies what is signed. Unfortunately, once it's verified, it will output the whole message, leading the user to believe that the whole message was signed.

      Again if you checked the signature against the whole message it wouldn't verify, GPG is just being a bit too helpful.

      • Quote from parent: "Unfortunately, once it's verified, it will output the whole message, leading the user to believe that the whole message was signed."

        Well, then a little GOOD social engineering could resolve this, right? Some prepend and append markups could help identify what was injected.

        Example: (Pre-encrypted)

        Begin Encrypted Body HERE:

        We snatched the subject at building 232. Skyjack arrived at the field and extracted subject at 2200 hours, and headed 225 True north along evac corridor. Diverted to SSW
        • Better: Everyone uses HTML mail, so:

          Begin prepended text HERE:

          <!--

          End prepended text HERE.

          Begin Encrypted Body HERE:

          We snatched the subject at building 232. Skyjack arrived at the field and extracted subject at 2200 hours, and headed 225 True north along evac corridor. Diverted to SSW 45 seconds later, avoiding ....

          End Encrypted Body HERE.

          Begin appended text HERE:

          --> We're caught! Destroy the evidence... and kill Jack, that damned traitor!

          End prepended text HERE.
      • Instead of using S/MIME method, which attaches the signature separately, would the old style --clearsign 'ing the message help? The clearsign hashes the content and displays the message inside a template with signature. Any new prepend or append inside would easily catch it as bad signature or when outside will lead the receiver to ignore it.
    • It's not the kind of bug that people would put in intentionally; it's more a conceptual error, made when trying to retrofit digital signatures into an email system not designed for it.

      As to where it came from, you can check the version control log files; it's all there.
    • Yeah. And it's great that those thousands of open-source eyeballs caught it before... oh, wait.
      • Way to miss the point!

        If GPG had been a closed-source product, almost nobody would ever have known about the flaw. People would just have carried on using it [*], believing it safe, and the exploit would have stayed underground. It's precisely because it's Open Source that anybody discovered the problem at all. At least now, it can be fixed -- in fact, it already has been fixed.

        [*] Well, actually, they wouldn't, because using closed-source crypto is up there in the top ten Bloody Stupid Ideas, along
  • by Anonymous Coward

    that GPG user lives downstairs i'll just tell him there is a problem

  • Is this flaw in encoding or decoding? IOW, will the new version of GPG be able to sniff out modified signatures, or are all signatures made by old versions modifiable w/ no recourse?
    • no flaw in encoding or decoding..
      The problem is in display. It displays the unencoded preamble and postscript inline with the (properly) verified parts of the email. You then, essentially, have to guess which is which.
      • no flaw in encoding or decoding..
        The problem is in display. It displays the unencoded preamble and postscript inline with the (properly) verified parts of the email. You then, essentially, have to guess which is which.


        Not quite. Depending on how GnuPG is called, the output might be either the real signed data alone, the appended data alone, or a mix.
  • Aha! (Score:5, Funny)

    by evil agent (918566) on Thursday March 09, 2006 @10:35PM (#14888081)
    She thought she could get rid of me with that rejection via email. Now I've got reasonable doubt about her feelings. Until I get that court order, of course.
  • by Spy der Mann (805235) <spydermann.slashdot@gmai l . c om> on Thursday March 09, 2006 @10:36PM (#14888083) Homepage Journal
    remember how many versions of OpenSSH we have? And why do you think new versions were released? And why should GPG be any different?
  • by Doc Ruby (173196) on Thursday March 09, 2006 @10:49PM (#14888138) Homepage Journal
    Another good recommendation is to diversify your crypto. Sign/encrypt your data with multiple different crypto algorithms in the same message. It's like network redundancy: the odds of both methods failing at once are equal to the product of the low, but significant, probability of either failing. A single failure doesn't ever compromise your data, and buys time to get a new second method that works.

    Of course, sent messages can't be recovered for reprotection with the new second method. And eventually the other original method will be compromised, so the attacker can use the appropriate methods for each. But at least you've improved your security. Probably more than the next guy. Next lesson: when the bear is chasing y'all, you don't have to be the fastest; just not the slowest.
    • by TPS Report (632684) on Thursday March 09, 2006 @11:32PM (#14888332) Homepage

      Another good recommendation is to diversify your crypto. Sign/encrypt your data with multiple different crypto algorithms in the same message.

      That's an awesome idea. I'm going to start doing that right now! :P

      This is a multi-part message in MIME format.
      ------=_NextPart_000_0012_01C22048.805E68 00
      Content-Type: text/plain; charset="iso-8859-1"
      Content-Transfer-Encoding: 7bit Test ------=_
      NextPart_000_0012_01C22048.805E6800 Content-Type:

      application/x-pkcs7-signature; name="smime.p7s"

      Content-Transfer-Encoding: base64 Content-Disposition:
      attachment; filename="smime.p7s"</b>
      MIAGCSqGSIb3DQEHAqCAMIAC AQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAo
      IIKGDCC Ajww ggGlAhAyUDPPUNFW81yBrWVcT8glMA0GCSqGSIb3DQEBAgUAMF 8xC
      zAJBgNVBAYTAlVTMRcwFQYD VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ
      2xhc3Mg MSBQdWJsaWMgUHJpbWFyeSBDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0eTAeF
      w05NjAxMjkwMDAwMDBa Fw0yMDAxMDcyMzU5NTlaMF8xCzAJ BgNVBAYTAlVTMRcwF
      QYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3 MDUGA1UECxMuQ2xhc3MgMSBQdWJs aWMgU
      HJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCB nzANBgkqhkiG9w0BAQEFAA
      OBjQAw gYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIgu VzqKCbJF
      0NH8xlbgyw0FaEGIea BpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzR
      QR 4k5FVmkfeAKA2txHkSm7NsljXMXg 1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAAT
      ANBgkqhkiG9w0B AQIFAAOBgQBLRGZgaGTkmBvzsHLm lYl83XuzlcAdLtjYGdAtND
      3GUJoQhoyqPzuoBPw3UpXD2cnb zfKGBsSxG/CCiDBCjhdQHGR6uD6Z SXSX/KwCQ/
      uWDFYEJQx8fIedJKfY8DIptaTfXaJMxRYyqEL2 Raa2Nrngv2U2k8LS12vc3lnWojX
      RTCCAy4wggKXoAMCAQICE QDSdi6NFAw9fbKoJV2v7g11MA0GCSqGSIb3DQEBAgUAM
      F8xC zAJBgNV BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1 UEC
      xMuQ2xhc3MgMSBQdWJsaWMg UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0e
      TAeFw05 ODA1MTIwMDAwMDBaFw0wODA1MTIy MzU5NTlaMIHMMRcwFQYDVQQKEw5WZ
      XJpU2lnbiwgSW5jLjEf MB0GA1UECxMWVmVyaVNpZ24gVHJ1 c3QgTmV0d29yazFGM
      EQGA1UECxM9d3d3LnZlcmlzaWduLmNv bS9yZXBvc2l0b3J5L1JQQSBJbmNv cnAuI
      EJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/ VmVyaVNpZ24gQ2xhc3MgMS
      BDQSBJ bmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaW RhdGVkMI
      GfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQC7WkSKBBa7Vf0DeootlE8VeDa4DU
      qy b5xUv7zodyqdufBou5XZMUFweoFL uUgTVi3HCOGEQqvAopKrRFyqQvCCDgLpL/
      vCO7u+yScKXbaw NkIztW5UiE+HSr8Z2vkV6A+Hthzj zMaajn9qJJLj/OBluqexfu
      /J2zdqyErICQbkmQIDAQABo3ww ejARBglghkgBhvhCAQEEBAMCAQYw RwYDVR0gBE
      AwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsGAQUF BwIBFh93d3cudmVyaXNpZ24uY29
      t L3JlcG9zaXRvcnkvUlBBMA8GA1UdEwQIMAYBAf8CAQAwCwYDVR 0PBAQDAgEGMA0
      GCSqGSIb3DQEB AgUAA4GBAIi4Nzvd2pQ3AK2qn+GBAXEekmptL/bxndPKZDjcG5 g
      MB4ZbhRVqD7lJhaSV8Rd9Z7R/ LSzdmkKewz60jqrlCwbe8lYq+jPHvhnXU0zDvcj
      jF7WkSUJj 7MKmFw9dWBpJPJBcVaNlIAD9GCDl X4KmsaiSxVhqwY0DPOvDzQWikK5
      uMIIEojCCBAugAwIBAgIQ BUy90AsJrAtbnO8CULdhXDANBgkq hkiG9w0BAQIFADC
      BzDEXMBUGA1UEChMOVmVyaVNpZ24sIElu Yy4xHzAdBgNVBAsTFlZlcmlTaWdu IFR
      ydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2ln bi5jb20vcmVwb3NpdG9y
      eS9SUEEg SW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBA MTP1Zl
      cmlTaWduIENsYXNzIDEg Q0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEg
      Tm90 IFZhbGlkYXRlZDAeFw0wMTA3MTYw MDAwMDBaFw0wMjA3MTYyMzU5NTlaMIIB
      FDEXMBUGA1UEChMO VmVyaVNpZ24sIEluYy4xHzAdBgNV BAsTFlZlcmlTaWduIFRy
      dXN0IE5ldHdvcmsxRjBEBgNVBAsT PXd3dy52ZXJpc2lnbi5jb20vcmVw b3NpdG9y
      eS9SUEEgSW5jb

    • you can also bzip2 your gzip files to improve your compression.
      • Actually, sometimes compression methods can squeeze extra reductions when used in series. But that's not a defense against failure - though the compression phase of most encryption methods might see that extra reduction as a bonus. The point is not just to make the encrypted message "more encrypted", but to guard against the eventual failure of one of the methods. The odds of both methods failing within a short time period are very odd indeed.
    • Triple bag it (Score:2, Informative)

      by Anonymous Coward
      "For instance, the use of double encryption does not provide the expected increase in security [MH81] when compared with the increased implementation requirements, and it cannot be recommended as a good alternative. Instead, triple-encryption is the point at which multiple encryption gives substantial improvements in security."

      From http://www.x5.net/faqs/crypto/q85.html [x5.net]
      • Any increase is valuable, its value depending on the total data protected by the total effort over time. Increased implementation requirements can be met by automation, which cost must as always be compared to its benefit.

        However, the principle in that FAQ is sound within its scope. In combination with the consideration I mention, the right approach is to use as many redundant methods as possible given costs, network and processing bandwidth.

        Again, the redundancy operates on exactly the same principle as th
  • by Anonymous Coward
    So a bug was discovered in the older versions of an open source software and if you have a recent update, you are not affected? Really, stuff that matters, I am shocked and surprised!
  • I tried the Windows version of GNUPG and it refuses to recognize any public or private keys that it generates or that I imported from PGP. I counted on using it after switching to Thunderbird, but GNUPG broke and the updates do not seem to fix it. Maybe it has issues with XP SP2, NTFS or something?

    Ah well, maybe I can install it on my Linux machine?
    • It may already be on your Linux machine. My SuSe machine had it preinstalled and there is a KDE GUI front end that works almost exactly like PGP from pgp.com. Enigmail works fine with it along with T-bird, although it broke HTML by changing a config setting. I had to run that problem down and fix it [mikehealan.com].
  • Anyone else remember hearing about this at Defcon last year?
  • by Yoik (955095) on Thursday March 09, 2006 @11:24PM (#14888295) Journal
    That information should never have been released! The negative press will impact sales. It would have been better to pretend the bug never existed.

    Oh, it isn't corporate product, nevermind.
  • check.. (Score:5, Funny)

    by dotpavan (829804) on Thursday March 09, 2006 @11:25PM (#14888301) Homepage
    did anybody cross-check the authenticity of that warning? I wont accept that until I verify its GPG key :)
    • Yep, here's the signed version of the summary:

      A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. All versions of gnupg prior to 1.4.2.2 are affected, and it is thus recommended to update GnuPG as soon as possible to version 1.4.2.2.

      Please disregard the remainder of this email.
      -----BEGIN PGP SIGNED MESSAGE-----
      Joe,
      Are you coming to the pub tonight?
      Ben.
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1.0.7 (Darwin)
      Comment: http://www.r [rbisland.cx]
  • by sidney (95068) on Thursday March 09, 2006 @11:27PM (#14888311) Homepage
    The bug allows someone to take a signed GPG message, stick in their own unsigned message in a certain way, and GPG will show you the combined message or even just the new message, but tell you that it is signed by the person who signed the original message.

    If you read the message using the new GPG 1.4.2.2 it will correctly not accept the hacked message. So if you have any question about signed mail you received, you can check it again after upgrading GPG.

    The bug only affects embedded signatures, such as in email messages using inline signatures or signed encrypted email. I think that excludes PGP/MIME signed unencrypted email, which is a common format for signed mail and would be a form of detached signature.

    The bug does not affect "detached signatures", which are the kind that are used to verify software downloads, which means it could not have been used to hack yum, apt-get, etc.

    All in all, not a big security flaw unless someone takes a signed email that you sent them, forges a GPG signed request to your domain registrar to transfer your million dollar domain name to them, and your registrar hasn't yet updated to GPG 1.4.2.2. Whoops -- if you upgrade GPG right now, it wouldn't help in that scenario.
    • Please note that when you update, your version number may not change. Depending on what OS you use and who you get your updates from, you might get an old version with back-ported fixes. If your version number is not the one mentioned here, you need to check with your OS vendor. Most will have a Web site listing security updates and what vulnerabilities they address.
  • by NullProg (70833) on Thursday March 09, 2006 @11:32PM (#14888331) Homepage Journal
    Shouldn't this read Security Flaw Discovered for users of GPG ?

    I'm guessing, but 95% of computing world doesn't use GPG. And isn't this a "Man In the Middle" attack? How many routers have been compromised that I need to worry about this?

    Are my GPG encrypted messages to the kremlin, CIA, or FBI less secure? Are my "lovey-dovey, are you naked" messages to my wife compromised? Thats about all I use GPG for.

    Enjoy.
    • Well... (Score:3, Informative)

      by jd (1658)
      It is true that 95% of users don't use GPG, but I'd regard that as a flaw in and of itself. Mind you, most e-mail programs (including, IIRC, thunderbird) don't support GPG, although some do support a limited range of digital certificates.

      Does it make the e-mails less safe? No. First, the flaw is for adding material, not reading it. Second, it's for signing, not encryption per-se. It DOES mean that you cannot trust e-mail for commercially sensitive transactions, but nobody should be trusting e-mail for that

      • Re:Well... (Score:5, Insightful)

        by slavemowgli (585321) on Friday March 10, 2006 @12:42AM (#14888632) Homepage

        It DOES mean that you cannot trust e-mail for commercially sensitive transactions, but nobody should be trusting e-mail for that anyway.

        I don't mean this to come across as flamebait, but that's one of the stupidest comments I've read on Slashdot today. You could just as well - and with the same justification - say that telephones shouldn't be used for conducting business (all business consists of commercially sensitive transactions, mind you), or that letters shouldn't be used, that the postal services can't be trusted, that pens and paper shouldn't be used for writing down contracts, and so on.

        All these things, just like email and just like GPG, are tools. Tools, like everything, are fundamentally insecure, at least theoretically; there is no absolute security. But you can minimise risks by using tools the right way, by making sure that malfunctions don't lead to a cascade of further malfunctions, and - maybe most importantly - by *realising* and *keeping in mind* that nothing is ever perfectly secure. If you do that, you can use email for sensitive things just like you can use the phone network or the postal services or direct face-to-face communication; you merely have to be aware of the risks and how to manage/minimise them.

        Panicking and crying "email is never secure!" isn't going to get you anywhere, really. You're just limiting yourself to other means of communication which are basically just as secure or insecure as email is, and given that statement, chances are you haven't really understood how security works, anyway, so you're probably less secure no matter what you do.

        • by jd (1658)
          You're correct that it's like saying telephones shouldn't be used by businesses. Indeed, I'm rather surprised that telephones are still used for such transactions, when bugging telephones is not difficult and apparently quite common. The military use "STUs" (Secure Telephone Units) that use strong encryption - probably in a manner very similar to GnuPG - for all sensitive communication.

          With the advent of VoIP, crypto chips that you can buy off the shelf, etc, it would neither be difficult nor unreasonable f

        • I don't mean this to come across as flamebait, but that's one of the stupidest comments I've read on Slashdot today.
          And that's saying something.
      • Re:Well... (Score:3, Interesting)

        by NullProg (70833)
        It is true that 95% of users don't use GPG, but I'd regard that as a flaw in and of itself. Mind you, most e-mail programs (including, IIRC, thunderbird) don't support GPG, although some do support a limited range of digital certificates.

        I agree. But again, the way I read the alert, isn't this a "Man In the Middle" attack?

        Does it affect routers or the infrastructure of the Internet? Only insofar as domain registrars never validate change requests properly. A carefully-crafted attack could use this to appe
        • Re:Well... (Score:5, Informative)

          by lspd (566786) on Friday March 10, 2006 @02:44AM (#14888972) Homepage Journal
          I agree. But again, the way I read the alert, isn't this a "Man In the Middle" attack?

          It's a replay attack. I take a very terse/vague signed message that you've written and append important evil data to the front or back and resend it. The signature checks out and the meat of the message (the stuff I've added on to the front or end) appears to come from you.

          This sort of problem has come up before in other contexts. When you sign an email, for example, it's doesn't include the headers or date. If your signed message is general enough, I can copy it and send it to someone else (GPG signatures verify the sender, not the recipient.) One of the situations where this has come up is in the Debian voting process. If a DD mistakenly sends their ballot to the wrong person, then changes their vote, anyone who has a copy of the old ballot can send it again and change the vote back. Debian safeguards against this by allowing each DD to see how their vote was cast after the vote is complete.
          • One of the situations where this has come up is in the Debian voting process. If a DD mistakenly sends their ballot to the wrong person, then changes their vote, anyone who has a copy of the old ballot can send it again and change the vote back. Debian safeguards against this by allowing each DD to see how their vote was cast after the vote is complete.

            That is not flaw in GPG, it is poor design. The vote should contain a timestamp and the most recent timestamp is the current vote. That doesn't cover the pos
      • "Mind you, most e-mail programs (including, IIRC, thunderbird) don't support GPG"

        The Enigmail extension for T-Bird works as a front-end to GPG. I don't know if it can work with GPG in any other way.
        • Re:Well... (Score:3, Informative)

          by DrXym (126579)
          The Enigmail extension for T-Bird works as a front-end to GPG.

          And very well it works too. I've been using it to communicate with someone who insists on encrypting their mail and it works fine. The biggest problem with it is that it somewhat assumes a familiarity with GPG in the first place to import keys and so on.

          It works much better than SMIME which apps like Mozilla, Outlook Express have supported natively for years. SMIME is close to being unusable. It's not those app's faults (although the companys

      • It is true that 95% of users don't use GPG, but I'd regard that as a flaw in and of itself. Mind you, most e-mail programs (including, IIRC, thunderbird) don't support GPG, although some do support a limited range of digital certificates.

        I guess the Enigmail [mozdev.org] folks aren't really doing anything then? Not sure if poster deserves an "Informative" moderation.

        I think most of the major email clients support encryption beyond a "limited range of digital certificates". There are GPG plugins for Outlook. I'm not sure

    • GPG is commonly used to sign source code tarballs such as the linux kernel. Those tarballs are mirrored across the world to hundreds of untrusted servers. With this flaw it's possible to modify signed source code (and introduce backdoors for instance). It's definitely not a theoretical problem.
  • by Anonymous Coward on Thursday March 09, 2006 @11:32PM (#14888335)
    I'm tired of their insecure crap! Oh wait, its GNU open source? In that case, you lazy bastard end users should have fixed it yourself!
  • Quick! (Score:4, Funny)

    by SuperKendall (25149) * on Thursday March 09, 2006 @11:50PM (#14888441)
    Better assign a security Czar!
  • by Gemini (32631) on Friday March 10, 2006 @12:14PM (#14891047)
    In an effort to inject some facts here:

    1. This does not apply to signed software tarballs (like the Linux kernel)

    2. This does not apply to PGP/MIME signed email messages (a la mutt, Enigmail, etc)

    3. This does not apply to clearsigned email messages (a la everything else)

    This applies to a very specific case where a message is constructed by hand with multiple data packets and a single signature packet, so:

    1. It might apply to PGP/MIME signed+encrypted email messages.

    2. It might apply to sign+encrypted messages in general.

    3. It might apply to unencrypted-but-binary-signed messages (essentially signed+encrypted without the encryption - generally not used much).


    I say "might" as in all of these cases it depends on how GnuPG is called.

Nothing is more admirable than the fortitude with which millionaires tolerate the disadvantages of their wealth. -- Nero Wolfe

Working...