GPG weakness

Robert J. Hansen rjh at sixdemonbag.org
Fri Jul 26 00:20:27 CEST 2013


On 7/25/2013 8:59 AM, Manu García wrote:
> I'm not a member of this list, but have read an article that I'd like
> to share, and put into your knowledge (if you don't know it already) 
> because I think is rather important.

It is not very important, to be honest, but we still thank you for
bringing it here.  :)

> In said article, about security in the Cloud you can read this:
> 
> «Michael Bailey, a computer security researcher at the University of 
> Michigan, notes that the software attacked—an e-mail encryption
> program called GNUPrivacy guard—is known to leak information, and
> that the experiment wasn’t carried out inside a real commercial cloud
> environment.»

The overwhelming majority of technology journalism is somewhere between
wildly uninformed and complete bollocks.  This article is one of them.

The first rule of using GnuPG -- and this is something that the GnuPG
developers strongly endorse -- is that *you must control the physical
hardware GnuPG is running on*.  If you don't, then there is literally no
end to the malfeasance an attacker can perpetrate.  If you don't have
physical control over the hardware, don't run GnuPG on it!

So, in light of this first rule, is it really all that surprising that
GnuPG should have security problems when it's run "in the cloud" --
which means running it on hardware you don't physically control?

Rule One exists for a reason.  Violate Rule One and it becomes pretty
easy to play hob with GnuPG.  This article is all about some researchers
who violated Rule One and discovered a new way to play hob.  It's
interesting research, but completely irrelevant to GnuPG users who are
wise enough to obey Rule One.  :)

> I always thought that GnuPG was rather secure, but it seems that
> among experts it's a well known weak and poor ciphering technology
> which no security experts consider seriously.

Beware of all experts.  An ex is a has-been, and a spurt is a drip under
pressure.

For what it does -- securing communications in transit -- GnuPG is a
well-regarded piece of software which is widely used in some extremely
demanding fields.  I have personally seen it used by international
telecommunications companies to secure tens of millions of dollars of
transactions, for instance.

> At least that's the impression I get reading said article.

And this is why you should beware of all tech journalism.  The
overwhelming majority of it is simply awful and uninformed.




More information about the Gnupg-users mailing list