Re: the safety of gnupg

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tim wrote:
> Tim:
>>> I've just been reading some rather silly things about gnupg except
>>> for one practical point:  Who has actually checked the source code
>>> for it to see whether it's trustworthy, etc?
>>> 
>>> And, of course, the next thing would be:  Who would they be that
>>> we could trust them, too?  After a bit of Googling around, I'm
>>> darned if I can find out, nor think of the right terms to search
>>> for.
> 
> Bruno Wolff III:
>> gnupg is much less likely to have an intentional back door than
>> anything you get from a corporation.

That's a pretty broad brush you're painting with Bruno. :)

I do tend to agree though.  I just wouldn't paint with such a dark
shade.

> I tend to think so, too.  But with something as important as gnupg,
> considering that it, or some pgp-compatible thing, is used in
> signing and checking packages, it ought to be verified as safe.
> Both from things like backdoors, and just plain old mistakes.  From
> what I've seen, the mathematics of how to do PGP would seem to be
> considered as reliable, but that's just the scheme.  You also have
> to check that the application is done right.

It's very difficult.  The most recent flaws found in gnupg were around
for years before anyone found them.  Noted security and crypto guru
Bruce Schneier wrote about that in his blog[1] and wrote an article a
few years before on open source security[2].

Another article was written by John Viega, one of the original authors
of Gnu Mailman, titled "The Myth of Open Source Security."  In it he
talks about vulnerabilities that existed for years in Mailman without
anyone noticing.

Additionally, if you really want to be secure you have to audit much
more than just the gnupg package.  After all, what would be the point
of making sure it's bullet proof if the underlying system libraries
that it uses are compromised or if your system is trojaned by some
obscure package that made it into extras?  Anyone care to bet how easy
it might be to do a lot of damage intentionally before anyone noticed?

For a fascinating read (even if much of it is over my head), check out
Ken Thompson's "Reflections on Trusting Trust[3]."

All of that said, it's also good to keep in perspective that security
is never absolute and be able to weigh the risks versus the gains from
any measure you take.  Sure, you can guarantee you'll never get
trojaned if you never use a computer, but that's going to an extreme.
:-)

> One argument I see put forward about PGP, et al, is that anybody who
> had found a flaw would be proudly crowing about it, but nobody has
> so far.  Though that's countered by anyone who'd found a flaw
> because they wanted to exploit it, would be keeping it to
> themselves.

Yes, this is a very good counter point.  You have to have a lot of
hope that a good guy finds the holes before the bad guys do.

There was just a post on Bugtraq about a "nasty" security bug in PGP
and Truecrypt disk encryption.  It even sounded bad on first read, but
it turns out that the folks that wrote the advisory are simply on
crack[4].

And after all that text, I don't have an answer to your question of
whether anyone has published a source code audit of gnupg.  You may
want to try asking this question on the gnupg-users list to see if any
of the developers can point you to one.  I think all the main devs
read that list.  David Shaw and Werner Koch post there often and are
generally helpful and responsive fellows.

[1] http://www.schneier.com/blog/archives/2006/03/huge_vulnerabil_1.html
[2] http://www.schneier.com/crypto-gram-9909.html#OpenSourceandSecurity
[3] http://www.acm.org/classics/sep95/
[4] http://www.securityfocus.com/archive/1/435007/30/150/threaded

- -- 
Todd        OpenPGP -> KeyID: 0xD654075A | URL: www.pobox.com/~tmz/pgp
======================================================================
Friends may come and go, but enemies accumulate.
    -- Thomas Jones

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: When crypto is outlawed bayl bhgynjf jvyy unir cevinpl.

iG0EARECAC0FAkR+ZLMmGGh0dHA6Ly93d3cucG9ib3guY29tL350bXovcGdwL3Rt
ei5hc2MACgkQuv+09NZUB1qsowCfTumwH8t28rMDi2C8BlMRaMez1vgAoLP2Yitd
QZPz6OKymIs2UJLNbAY3
=giBC
-----END PGP SIGNATURE-----


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux