New PGP/GPG Vulnerability?

Tue Aug 13 08:27:01 2002

Hash: SHA1

On Tuesday 13 Aug 2002 6:16 am, Brent Miller wrote:

> From

The story you quote relates to the S/MIME problems of IE, which do not=20
affect PGP/GPG.

> "Schneier released information Monday about a separate flaw in the
> PGP (Pretty Good Privacy) program that is freely available and used
> to encrypt messages sent over the Internet.

- From another group, I gather that the problem Bruce Schneier raised=20
about PGP does not relate to cryptographic weakness but to the way the=20
program might be (mis)used in practice and, in particular, the way that=20
the Outlook/Outlook Express plugin for PGP works.  If you use PGP in=20
Windows through the system tray (ie do not use the plugin) you will be=20
all right. Since GPG doesn't use PGP plugins, the problem over the=20
programming doesn't apply.

However GPG, like PGP, is still vulnerable to human intervention.  This=20
is what the original story said:

>Researchers at Columbia University and Counterpane Internet Security=20
>Inc. found that someone intercepting an encrypted message could=20
>descramble it by repackaging the message and passing it on to the=20
>The message would appear as gibberish, possibly prompting the recipient=20
>to request a resend.
>If the recipient includes the original text with that request - as many
>people have their configured their software to do automatically when=20
>they reply - the interceptor could then read the original message.

This is akin to you writing down your passphrase and sticking it on your=20
monitor.  It doesn't make GPG or PGP less secure, but the way its used=20
could effectively negate any security.  This was quoted in the same=20

>Using the Outlook+Exchange+PGPplugin combo, the following sequence=20
>usually occurs:
> 1. user receives PGP mail
> 2. plugin decrypts pgp mail
> 3. user hits reply
> 4. outlook formats reply
> 5. outlook sends copy of reply *in plaintext* to exchange server for
>draft copy
> 6. user edits reply
> 7. periodically, outlook *resends* the current working copy to the
>drafts folder
> 8. user completes reply and hits send
> 9. plugin encrypts message and sends encrypted form to exchange server
>10. exchange server deletes draft copies it has received.
>The obvious danger is in stages 5 and 7 - which can be sniffed from the
>network between exchange and the user's pc. In particuar, you could
>induce the user to relay all mail to the exchange server via your own

This shows up not a weakness in PGP/GPG but of the networking system.
- --=20

GPG Key ID: E935DB9D

Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Please sign and encrypt for internet privacy