Comment and Version lines leak information

Janusz A. Urbanowicz alex at bofh.torun.pl
Mon Aug 13 15:20:01 CEST 2001


Anonymous Remailer wrote/napisał[a]/schrieb:
> Frank Tobin writes:
> >Anonymous, at 05:18 +0200 on Mon, 6 Aug 2001, wrote:
> >> A security program should not, by default, leak information.
> > 
> > You're talking about anonymity, which is different from security.
> 
> Nothing was said about anonymity.
> 
> > The type of "security" you get from the measures you describe are
> > merely obsfucation.
> 
> Word games aside, real security people don't go out of their way to
> leak information.

It depends on definition of 'real security people' you use I'm afraid.

> > Furthermore, when developing a widely-distributed program such as
> > GnuPG, and trying to ensure interoperability, it is very useful to
> > know what what versions people are using.  Just like ssh and Apache,
> > there is no attempt to hide what version the software is.
> 
> The version and comment strings are unused by the software.
> 
> Having used gpg and pgp steadily for years, and having provided a lot
> of free support, I can state with confidence that these strings are of
> little use because you have to ask "what are you using?" anyway.  In
> the worst case, which I believe scarcely exists, you could turn on the
> feature, even if it wasn't the default.

At least it helps to determine correspondent's version at glance and warn
him that his version may be insecure. Dne that for people using ADK-unfixed
PGP versions.

Alex
-- 
C _-=-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling |         |   *  	
 ; (_O : +-------------------------------------------------------------+ --+~|	
 ! &~) ? | Płynąć chcę na Wschód, za Suez, gdzie jest dobrem każde zło | l_|/	
A ~-=-~ O| Gdzie przykazań brak dziesięciu, a pić można aż po dno;     |   |   




More information about the Gnupg-devel mailing list