> I don't want to warm-up this topic again, but... didn't Robert said in his
> github gist that the issue was known for more than a decade?
I did. Much closer to two decades than one. I remember talking about
it with Randy Harmon of PGP Security in 2000.
> Why was is then not fixed a decade ago
Sebastian Schinzel wrote:
> Those are two different papers.
>
> 1. The 'Jonny, you are fired' paper solely dealt with signature spoofing
> and the repo is here:
>
> https://github.com/RUB-NDS/Johnny-You-Are-Fired
>
> 2. The paper mentioned in the thread above is 'Re: What's Up Johnny? --
> Cove
On 12 August 2019 18:27:49 BST, Peter Lebbing wrote:
>On 12/08/2019 18:39, Stefan Claas via Gnupg-users wrote:
>> Why was is then not fixed a decade ago, like it was done with 2.2.17?
>
>There is no fix for the SKS keyserver network, which explains why it
>wasn't fixed in 2.2.17 either. In fact
Am 12.08.19 um 17:47 schrieb Stefan Claas via Gnupg-users:
> Sebastian Schinzel wrote:
>
>> Dear all,
>>
>> Jens Müller just gave a talk at DEFCON about Covert Content Attacks
>> against S/MIME and OpenPGP encryption and digital signatures in the
>> email context. He just published the PoC emails
Peter Lebbing wrote:
> On 12/08/2019 18:39, Stefan Claas via Gnupg-users wrote:
> > Why was is then not fixed a decade ago, like it was done with 2.2.17?
>
> There is no fix for the SKS keyserver network, which explains why it
> wasn't fixed in 2.2.17 either. In fact, fixes have been deployed ove
> I don't want to warm-up this topic again, but... didn't Robert said in his
> github gist that the issue was known for more than a decade?
>
> Why was is then not fixed a decade ago, like it was done with 2.2.17?
The link in the github document, points to another link which explains
that the cod
On 12/08/2019 16:44, Ryan McGinnis via Gnupg-users wrote:
Yes, ironically, this proof of concept is the responsible way to
demonstrate the issue (after a sufficient waiting period following a
private disclosure to the developers)
I don't understand how this is irony. I must have missed somethi
On 12/08/2019 18:39, Stefan Claas via Gnupg-users wrote:
> Why was is then not fixed a decade ago, like it was done with 2.2.17?
There is no fix for the SKS keyserver network, which explains why it
wasn't fixed in 2.2.17 either. In fact, fixes have been deployed over
the last several years. DANE,
On 8/12/2019 at 7:28 AM, "Juergen Bruckner via Gnupg-users"
wrote:
>Am 11.08.19 um 23:47 schrieb Anonymous Remailer (austria):
>>
>> https://github.com/skeeto/pgp-poisoner
=
Here is a quote from the above site:
=[ begin quoted material ]=
As far as keyserver weaknesses go, key
Ryan McGinnis via Gnupg-users wrote:
> Yes, ironically, this proof of concept is the responsible way to demonstrate
> the issue (after a sufficient waiting period following a private disclosure
> to the developers), rather than, say, demonstrating the issue by spitefully
> poisoning the keys of a
Ryan McGinnis via Gnupg-users wrote:
[snip]
Not to be off-topic but I wonder why your message, when reading it
in my MUA, displays this in the message body:
Never seen this before on the ML.
c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="publicKey - r...@digican
Sebastian Schinzel wrote:
> Dear all,
>
> Jens Müller just gave a talk at DEFCON about Covert Content Attacks
> against S/MIME and OpenPGP encryption and digital signatures in the
> email context. He just published the PoC emails that he used in the talk
> and they might be useful for further tes
Yes, ironically, this proof of concept is the responsible way to demonstrate the issue (after a sufficient waiting period following a private disclosure to the developers), rather than, say, demonstrating the issue by spitefully poisoning the keys of a few prominent people in the GPG community. T
Juergen Bruckner via Gnupg-users wrote:
> Thats pretty interesting, but the author also says he did this as showcase.
> Nontheless, its not really good to have such a tool "in the wild", and
> even on a plattform like GitHub
AFAIK it is common pratice to publish PoCs to help program authors to im
* da...@gbenet.com:
> putting this code on Github whist demonstrating a point - was foolish
No, it was not. Foolish would be to pretend the conceptual flaw does not
exist, cover your ears with your hands and go "la la la".
> To say that this was in practice and common knowledge for years - it's
On Mon, Aug 12, 2019 at 8:10 AM David wrote:
>
> On 12/08/2019 12:25, Juergen Bruckner via Gnupg-users wrote:
> > Thats pretty interesting, but the author also says he did this as showcase.
> > Nontheless, its not really good to have such a tool "in the wild", and
> > even on a plattform like GitH
Dear all,
Jens Müller just gave a talk at DEFCON about Covert Content Attacks
against S/MIME and OpenPGP encryption and digital signatures in the
email context. He just published the PoC emails that he used in the talk
and they might be useful for further testing.
https://github.com/RUB-NDS/Cover
> To be frank - putting this code on Github whist demonstrating a point -
> was foolish
No it's not. It is the basis of cryptograhpy.
See also: https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle
> Now you have put the code into the public domain - to prove a point?
Yes. And that point is t
On 12/08/2019 12:25, Juergen Bruckner via Gnupg-users wrote:
> Thats pretty interesting, but the author also says he did this as showcase.
> Nontheless, its not really good to have such a tool "in the wild", and
> even on a plattform like GitHub
>
> regards
> Juergen
>
> Am 11.08.19 um 23:47 schr
Juergen Bruckner via Gnupg-users wrote:
> Thats pretty interesting, but the author also says he did this as showcase.
> Nontheless, its not really good to have such a tool "in the wild", and
> even on a plattform like GitHub
A tool like this has been in the wild for several weeks. As skeeto says
Thats pretty interesting, but the author also says he did this as showcase.
Nontheless, its not really good to have such a tool "in the wild", and
even on a plattform like GitHub
regards
Juergen
Am 11.08.19 um 23:47 schrieb Anonymous Remailer (austria):
>
> https://github.com/skeeto/pgp-poisoner
https://github.com/skeeto/pgp-poisoner
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
22 matches
Mail list logo