[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGP hole

To: [email protected] (Gregory A. Alkaitis)
Subject: Re: PGP hole
From: "Dr. D.C. Williams" <[email protected]>
Date: Thu, 29 Sep 1994 20:40:50 -0700 (PDT)
Cc: [email protected] (Dr. D.C. Williams, P.E.), [email protected]
In-Reply-To: <Pine.3.89.9409292248.A17207-0100000@bigcat> from "Gregory A. Alkaitis" at Sep 29, 94 10:28:10 pm
Sender: [email protected]


> If you would, please send perhaps a breif "digest" of the thread.  (Or 
> the entire thing, if that's easier.)

The whole thread is much too long to post (and besides, it has nothing to
do with bikinis or Fabio  ;-) ). The gist of the problem seems to be
that a signed cleartext message can be altered by adding spoofed text
right after the BEGIN PGP SIGNED MESSAGE line. If the spoofed text is
separated from the original text by a blank line or even a tab, PGP
reports that the signature is good in spite of the added text.

Apparently, the output file is a faithful version of the
original message, but users who don't check that file might believe 
that the spoofed text was a part of the original message. I have
not personally tried this yet, but the thread is full of comments
from people who have, including some people who originally didn't
believe it but later confirmed the existence of the problem themselves.

The bug seems to be present in all versions (even the ViaCrypt versions
have this problem). It has been reported as a bug to the MIT pgp-keepers.

Caveat emptor.


=D.C. Williams	<[email protected]>

Follow-Ups:
- Re: PGP hole
  - From: Alan Barrett <[email protected]>

Prev by Date: PGP hole
Next by Date: Re: Cypherpunks meetings in other cities
Prev by thread: PGP hole
Next by thread: Re: PGP hole
Index(es):
- Date
- Thread