Comment and Version lines leak information
Anonymous
nobody at mix.winterorbit.com
Mon Aug 6 06:20:01 CEST 2001
This is a nit, but why is it the default for gpg to output version and
comment strings in ASCII armor blocks?
A security program should not, by default, leak information. There's
no compelling reason why anybody should know which OS you are using,
and there is a good reason not to advertise: it makes it easier for
attackers to exploit known security holes. Likewise, it is
undesirable to publish the version of the encryption program you are
using.
Anybody who wants to do so (for what reason I cannot imagine), they
can always turn on these features or add a couple lines to their
config file.
More information about the Gnupg-devel
mailing list