To sign or not to sign: Practical vulnerabilities in GPG & friends
media.ccc.de
Might contain zerodays. https://gpg.fail/ From secure communications to software updates: PGP implementations such as *GnuPG* ubiquitous...

A talk from the hacker conference 39C3 about security vulnerabilities found in GPG (GnuPG) and similar tools.

They showed 14 vulnerabilities (9 of them are 0-days) 🤯.

Their website: https://gpg.fail/

(in English)

  • ReginaPhalange@lemmy.worldEnglish
    1·
    18 days ago

    What do they suggest for the secure way to validate the header line?
    Let’s say it is Hash: SHA1 and then a million nbsp and then a newline

    Is the header line now considered invalid because of arbitrary character limit?
    Is it invalid because the maximum length of a known hash function is (insert figure here)?
    Should the million nbsp be a part of the text being signed?