Please remove MacGPG from gnupg.org due to serious security concerns

Jonathan Schleifer js-gnupg-users at webkeks.org
Tue Feb 17 01:03:38 CET 2015


Am 17.02.2015 um 00:53 schrieb Hugo Osvaldo Barrera <hugo at barrera.io>:

> It is true that there's a pretty big security hole there with "git clone
> git://github.com...", since any malicious attacker can intercept that
> communication. There's no checksuming or anything to make this difficult *at
> all*.

Well, this is only checking out the code. While I agree that this is dangerous, the curl | sh paradigm is even more dangerous.

> What *does* suprise me is that there's a commit to specifically remove git+ssh
> in favour of insecure ssh. There's no comment on why that was done either:
> 
> https://github.com/GPGTools/GPGTools_Core/commit/5186bade36acedfdc0b76f9f5ddfcfc004ec698b

I'm guessing because you need an SSH key at GitHub in order to pull via SSH. Yet another problem solved by git modules.

Still, they could have at least changed it to https. 

> However, I'd recomend that you go over the proper support channels first
> (rather than merely twitter) before asking that references to the proyect are
> deleted.
> 
> As stated on https://gpgtools.org/:
> 
>   Please report any issues you find on our support platform.
> 
> Which points to http://support.gpgtools.org/.

Well, I think there's enough evidence that they do not know how to do things securely. It has even been pointed out in this thread that this is not the first time there are serious security problems. It feels like they are actively trying to make it insecure, because they do things that normally nobody working on a security product would even consider.

Please consider this: GnuPG is a security product. People's lives might depend on it. They might have heard that GnuPG is secure and think they are safe since even Snowden uses it. They go to gnupg.org and then download MacGPG. That's dangerous and there's no way for them to know unless they go check the source.

As a matter of fact, I compromised one of my machines by checking out one of the MacGPG tools, checking the checksum of the downloaded tarball and then typing make. I did not realize it executed remote code (twice even, the curl and the git checkout, on which make is also run later on). They even actively hide the fact, which makes it even worse. Should gnupg.org really endorse that?

--
Jonathan




More information about the Gnupg-users mailing list