Bugtraq mailing list archives
Re: Yes, they have found a serious PGP vulnerability...sort of
From: Pavel Kankovsky <peak () ARGO TROJA MFF CUNI CZ>
Date: Sun, 25 Mar 2001 01:31:45 +0100
On Fri, 23 Mar 2001, Casper Dik wrote:
How is any proposed defense going to work? They're modifying your secret key stored on your system; if they can do that they can also remove any checks from your PGP program.
Yes and no. Yes because in most cases, the ability to modify a file containing my secret file implies the ability to control the behaviour of my instances of PGP. No because there are few but real different cases, such as my encrypted secret key (and only the secret key) being transported from one secure point to another secure point through a less secure environment. I myself would expect the encryption is sufficient to protect both the confidentiality and the integrity of my private key in such a situation. Anyway, the most important reason to release a ``fix'' for the problem is not to reduce actual risks (we see the reduction would be non-zero but quite small) but to convince lusers they can trust PGP again. Most people are pretty bad at risk assessment (car vs. plane accidents, coal vs. nuclear power plants): they are in the ``that PGP thing is damn insecure, I've heard that on TV'' state now (NAI should thank their lucky star it all happened in a small country far away from the U.S.) but as soon as the patch is made available (and announced in the media), the lusers, or an important part of them, will go to the ``they've fixed it, everything is ok, and the sun shines again'' state. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Yes, they have found a serious PGP vulnerability...sort of Pavel Kankovsky (Mar 21)
- Re: Yes, they have found a serious PGP vulnerability...sort of Florian Weimer (Mar 22)
- Re: Yes, they have found a serious PGP vulnerability...sort of Pavel Kankovsky (Mar 23)
- Re: Yes, they have found a serious PGP vulnerability...sort of Florian Weimer (Mar 23)
- Re: Yes, they have found a serious PGP vulnerability...sort of Lutz Donnerhacke (Mar 23)
- Re: Yes, they have found a serious PGP vulnerability...sort of Pavel Kankovsky (Mar 23)
- <Possible follow-ups>
- Re: Yes, they have found a serious PGP vulnerability...sort of Pavel Kankovsky (Mar 25)
- Re: Yes, they have found a serious PGP vulnerability...sort of Florian Weimer (Mar 22)