To sign or not to sign: Practical vulnerabilities in GPG & friends
media.ccc.de
Might contain zerodays. https://gpg.fail/ From secure communications to software updates: PGP implementations such as *GnuPG* ubiquitous...

A talk from the hacker conference 39C3 about security vulnerabilities found in GPG (GnuPG) and similar tools.

They showed 14 vulnerabilities (9 of them are 0-days) 🤯.

Their website: https://gpg.fail/

(in English)

  • ReginaPhalange@lemmy.worldEnglish
    2·
    6 days ago

    At 09:10 - they demonstrate injecting text that does not break signatures - by appending text after manually inserting null terminator.

    • Is null terminator a character that can be inserted using any enhanced text editor? How do I do that in vim?
    • They go on to say that \v\r is not a new line - but actually I thought that Unix style of text documents end a line that way (\r)?
  • ReginaPhalange@lemmy.worldEnglish
    1·
    5 days ago

    What do they suggest for the secure way to validate the header line?
    Let’s say it is Hash: SHA1 and then a million nbsp and then a newline

    Is the header line now considered invalid because of arbitrary character limit?
    Is it invalid because the maximum length of a known hash function is (insert figure here)?
    Should the million nbsp be a part of the text being signed?