Every version of GnuTLS found to vulnerable to certification bypass.

Ximin Luo infinity0 at pwned.gg
Wed Mar 5 02:33:17 CET 2014


On 05/03/14 00:39, Thomas Gries wrote:
> Am 04.03.2014 11:47, schrieb Daniel Kahn Gillmor:
>>> Every version of GnuTLS found to vulnerable to certification bypass.
>> why are you writing this to the gnupg development mailing list?
>>
>> gnupg is entirely independent of gnutls.
> Perhaps you are right, but
> https://twitter.com/kennwhite/status/440941032616624128 says:
> 
> and you should answer him, if he is wrong, or mixing up things.
> One other aspect is that all apt-transport using things are victims, too.
> 

APT uses GPG and is not affected. It looks like that article has patched this up, but "a second layer of protection" is still not correct; GPG is the *only* layer of protection that APT relies on. TLS is Transport Layer Security, not end-to-end security, which is what matters in a distributed system.

X

-- 
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 880 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140305/e7ad806c/attachment.sig>


More information about the Gnupg-devel mailing list