Version: 2008
  • On CBS MoneyWatch: Report: Tiger to Pay Wife $60 Million

Comments on: Open-source bugs undermine digital signatures

Two flaws in open-source cryptography app could allow an attacker to add content to a digitally signed message or forge signatures.

Add a Comment (Log in or register) (5 Comments)
  • prev
  • 1
  • next
Misleading article title.
by Zymurgist March 11, 2006 6:43 PM PST
There no flaw in GPG per se. Namely, the issue is that if you verify a signature, it verifies the signature of the signed portion of the message properly -- no bug there. The bug is that if you have it dump out the message, it dumps out the whole message (e.g., headers and all), not just the signed portion.

The problem is that this confuses people that don't realize that a portion of the message is signed, and a portion is not. It's clearly indicated in the message the part that's signed (by a line that says, essentially, "signed message begins here"), but some people don't catch that.

The practical upshot is that one can add stuff before (or after) the signed section and GPG will validate the signed section for you and tell you it's okay. If you ignore the fact that only a portion of the message is signed, you will thus conclude the entire message is signed (including the altered portion outside the signed block).

The fix -- make it explicitly identify the signed block.
Reply to this comment
Terrific
by robertcampbell2 March 12, 2006 10:59 AM PST
Good, no flaw so I guess they just developed the patch to sooth the general public? Does that mean we can safely ignore the posted fix to the non existent flaw???
View reply
No
by TimeBomb March 15, 2006 12:40 AM PST
You're just wrong. It IS a bug in GnuPG, and it has to do with digsigs being validated when they shouldn't be. From the GnuPG site itself:

"The Gentoo project identified a security related BUG in GnuPG. When using any current version of GnuPG for unattended signature verification (e.g. by scripts and mail programs), false positive signature verification of detached signatures may occur."

See that? Bug. False positive signatures.

And:

"In the aftermath of the false positive signature verfication bug more thorough testing of the fix has been done and another vulnerability has been detected. This new problem affects the use of gpg for verification of signatures which are not detached signatures. The problem also affects verification of signatures embedded in encrypted messages; i.e. standard use of gpg for mails."
Less than useful
by nerdboy March 12, 2006 9:55 AM PST
Writing about a flaw in a complex system without providing any indication of where the flaw lies or what the flawed mechanism is leaves the reader with nothing to use in evaluating alternatives or examining similar systems. Poor journalism.
Reply to this comment
(5 Comments)
  • prev
  • 1
  • next
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET