<div dir="ltr"><span style="font-size:12.8px">Hi Murphy,</span><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">This email refers to the ROCA vulnerability (<a href="https://crocs.fi.muni.cz/public/papers/rsa_ccs17" target="_blank">https://crocs.fi.muni.cz/<wbr>public/papers/rsa_ccs17</a>), which affects a number of hardware devices including some versions of the Yubikey 4-nano (<a href="https://www.yubico.com/keycheck/" target="_blank">https://www.yubico.com/<wbr>keycheck/</a>). I believe Yubico are offering to replace affected Yubikeys.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">One aspect of this vulnerability is that RSA public keys can be very easily checked to determine if they are vulnerable - so at Facebook, we checked the public keys that have been uploaded to people's profiles, and notified people whose keys are affected. Unfortunately it seems like you were one of the unlucky ones! Details here: <a href="https://www.facebook.com/protectthegraph/posts/1954548564785285" target="_blank">https://www.facebook.com/<wbr>protectthegraph/posts/<wbr>1954548564785285</a>.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Hope that helps,</div><div style="font-size:12.8px">Jon</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 1 November 2017 at 00:10, murphy <span dir="ltr"><<a href="mailto:mac3iii@gmail.com" target="_blank">mac3iii@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I got a signed notification from facebook (good signature, enigmail)<br>
that claims my GnuPG generated public key has a "recently disclosed<br>
vulnerability". This is the full text:<br>
<br>
We have detected that the OpenPGP key on your Facebook profile may be<br>
susceptible to attacks due to a recently disclosed vulnerability. We<br>
recommend that you revoke and replace your public key immediately to<br>
minimize the risk to your encrypted communications. You can update your<br>
public key by visiting your Security and Login settings. To help reduce<br>
the risk of your key being attacked, we have set the privacy of your<br>
potentially vulnerable public key on your profile to "Only Me" to limit<br>
further distribution. We will continue to encrypt your notification<br>
emails using this OpenPGP public key.<br>
<br>
This is doubly weird since the private/public key was generated on a<br>
Yubikey-4 nano and it is safe at home. Does anyone know what this may<br>
be about?<br>
<br>
Facebook public key (it is valid, see:<br>
<a href="https://www.facebook.com/notes/protect-the-graph/securing-email-communications-from-facebook/1611941762379302/" rel="noreferrer" target="_blank">https://www.facebook.com/<wbr>notes/protect-the-graph/<wbr>securing-email-communications-<wbr>from-facebook/<wbr>1611941762379302/</a>):<br>
<br>
pub rsa4096 2015-05-17 [SC] [expires: 2018-05-17]<br>
31A70953D8D590BA1FAB37762F3898<wbr>CEDEE958CF<br>
uid [ full ] Facebook, Inc.<br>
sub rsa4096 2017-07-24 [S] [expires: 2018-02-19]<br>
<br>
My public key is uploaded to keyservers and is:<br>
<br>
pub rsa4096 2016-10-17 [SC] [expires: 2018-10-17]<br>
D89A29A3E1DA59DFBF516EA73E450D<wbr>1BCF78C26B<br>
uid [ultimate] orange<br>
uid [ultimate] Murphy Chesney (facebook communication)<br>
<<a href="mailto:mac3iii@gmail.com">mac3iii@gmail.com</a>><br>
sub rsa4096 2016-10-17 [A] [expires: 2018-10-17]<br>
sub rsa2048 2016-10-17 [E] [expires: 2018-10-17]<br>
<span class="HOEnZb"><font color="#888888"><br>
Murphy<br>
<br>
<br>
</font></span><br>______________________________<wbr>_________________<br>
Gnupg-users mailing list<br>
<a href="mailto:Gnupg-users@gnupg.org">Gnupg-users@gnupg.org</a><br>
<a href="http://lists.gnupg.org/mailman/listinfo/gnupg-users" rel="noreferrer" target="_blank">http://lists.gnupg.org/<wbr>mailman/listinfo/gnupg-users</a><br>
<br></blockquote></div><br></div>