oss-sec mailing list archives

Re: Travis CI MITM RCE

From: zugtprgfwprz () spornkuller de
Date: Thu, 30 Aug 2018 18:13:34 +0200

Hi Daniel,

On 28.08.2018 18:43, Daniel Kahn Gillmor wrote:

In some ways, the keyserver network has done the OpenPGP community a
disservice, by encouraging OpenPGP users to refer to keys by
fingerprints (or even worse, by key IDs).  While this is a useful
shorthand in some contexts, it's really a security/reliability
anti-pattern when it comes to secure programming.


I agree about the "key ID" part, but not about the "fingerprint" part.
Pinning a cryptographic hash over a public key isn't a security
antipattern by any strech of the imagination. Sure, you could argue that
the SHA-1 used by GPG isn't state-of-the-art anymore, but we're not
talking about collision attacks, but second preimage attacks. Far worse
for the attacker.

The way you phrased it, however, all applications of fingerprints/hashes
would be broken (SSH fingerprints, HPKP, etc.), regardless of the hash
function they use.

Cheers,
Joe
t

-- 
"A PC without Windows is like a chocolate cake without mustard."

Current thread:

Travis CI MITM RCE Jakub Wilk (Aug 25)
- Re: Travis CI MITM RCE Phil Pennock (Aug 26)
  - Re: Travis CI MITM RCE Jeremy Stanley (Aug 26)
  - Re: Travis CI MITM RCE Daniel Kahn Gillmor (Aug 28)
    - Re: Travis CI MITM RCE zugtprgfwprz (Aug 30)
    - Re: Travis CI MITM RCE vines (Aug 31)
    - Re: Travis CI MITM RCE zugtprgfwprz (Sep 01)
    - Re: Travis CI MITM RCE Daniel Kahn Gillmor (Aug 31)
    - Re: Travis CI MITM RCE zugtprgfwprz (Sep 01)