GNU Privacy Guard - Problems

Problems

The neutrality of this section is disputed. Please do not remove this message until the dispute is resolved.

The OpenPGP standard specifies several methods of digitally signing messages. In 2003, due to an error in a change to GnuPG intended to make one of those methods more efficient, a security vulnerability was introduced. It affected only one method of digitally signing messages, only for some releases of GnuPG (1.0.2 through 1.2.3), and there were fewer than 1000 such keys listed on the key servers. Most people did not use this method, and were in any case discouraged from doing so, so the damage caused (if any, and none has been publicly reported) would appear to have been minimal. Support for this method has been removed from GnuPG versions released after this discovery (1.2.4 and later). Two further vulnerabilities were discovered in early 2006; the first being that scripted uses of GnuPG for signature verification may result in false positives, the second that non-MIME messages were vulnerable to the injection of data which while not covered by the digital signature, would be reported as being part of the signed message. In both cases updated versions of GnuPG were made available at the time of the announcement.

GnuPG is a command-line based system, that is not written as an API which can be incorporated into other software. GPGME is an API wrapper around GnuPG which parses the output of GnuPG, and various graphical front-ends based on GPGME have been created. This currently requires an out-of-process call to the GnuPG executable for many GPGME API calls. Because GPGME makes use of a special GnuPG interface designed for machine use, a stable and maintainable API between the components is given. Possible security problems in an application do not propagate to the actual crypto code due to the process barrier.

Read more about this topic:  GNU Privacy Guard

Famous quotes containing the word problems:

    More than a decade after our fellow citizens began bedding down on the sidewalks, their problems continue to seem so intractable that we have begun to do psychologically what government has been incapable of doing programmatically. We bring the numbers down—not by solving the problem, but by deciding it’s their own damn fault.
    Anna Quindlen (b. 1952)

    The problems of the world, AIDS, cancer, nuclear war, pollution, are, finally, no more solvable than the problem of a tree which has borne fruit: the apples are overripe and they are falling—what can be done?... Nothing can be done, and nothing needs to be done. Something is being done—the organism is preparing to rest.
    David Mamet (b. 1947)

    I am always glad to think that my education was, for the most part, informal, and had not the slightest reference to a future business career. It left me free and untrammeled to approach my business problems without the limiting influence of specific training.
    Alice Foote MacDougall (1867–1945)