[Previous entry: "Hardyville: How the town fell off the map"] [Main Index] [Next entry: "LIbertarian "V for Vendetta" reviews"]

03/15/2006 Archived Entry: "GPG Security Alert"

Those of you who followed Claire's excellent How to use encryption instructions have just a bit more work to do.

GPG, the open-source Gnu Privacy Guard software that performs the encryption tasks, has a rather serious flaw. It is possible to add information to a signed message without disturbing the signature validation. This means bad guys can pre-pend or append information to a signed GPG message, and the recipient would have every reason to believe that the sender wrote the entire message.

Apparently this flaw has been in the code for years, and was only recently discovered. A downside of open-source software is that it is no more certain to be free of serious bugs than proprietary stuff. An upside is that serious flaws, once discovered, are fixed promptly. You can read the announcement here.

Anyone who downloaded GPG before March 9, 2006 should upgrade immediately. Go to gnupg.org for download instructions.

Security and privacy, like all freedoms, require constant vigilance.


Posted by Silver @ 01:38 PM CST

Powered By Greymatter