GPG weakness

Thomas Harning Jr. harningt at
Thu Jul 25 21:54:17 CEST 2013

I believe the issue here is that if you are running inside a virtual
machine, information can leak between VMs and the VM host about certain CPU
flags/etc. This can lead to the ability to steal data.
In general GnuPG is pretty secure and does a good job at keeping data
protected even if an adversary is on the local machine... however when you
are sharing cycles or have malware running on your machine, the security
game is no longer yours and you are gambling. A step in the right direction
would be to use a hardware token, but if you have malware running, it could
interject itself into the signature flow and have the device sign its own
data instead of data you provide...

On Thu, Jul 25, 2013 at 8:59 AM, Manu García <variosinftk at> wrote:

> Hi.
> I'm not a member of this list, but have read an article that I'd like to
> share, and put into your knowledge (if you don't know it already) because I
> think is rather important.
> In said article, about security in the Cloud you can read this:
> «Michael Bailey, a computer security researcher at the University of
> Michigan, notes that the software attacked—an e-mail encryption program
> called GNUPrivacy guard—is known to leak information, and that the
> experiment wasn’t carried out inside a real commercial cloud environment.»
> Source:
> I always thought that GnuPG was rather secure, but it seems that among
> experts it's a well known weak and poor ciphering technology which no
> security experts consider seriously. At least that's the impression I get
> reading said article.
> Are devs taking some measures to make GPG really secure?
> Regards.
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at

Thomas Harning Jr. (
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130725/90ad019f/attachment.html>

More information about the Gnupg-users mailing list