LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Cryptographic weakness on Debian systems

Cryptographic weakness on Debian systems

Posted May 13, 2008 20:48 UTC (Tue) by man_ls (subscriber, #15091)
In reply to: Cryptographic weakness on Debian systems by nix
Parent article: Cryptographic weakness on Debian systems

Maybe the keys are good, but the attacker wants to make you think you have to get new keys -- which he will somehow forge and supply to you. In this case you should scrutinize the ways to "sanitize" your supposedly bad keys. An example: (s)he has discovered a weak point in GPG keys, so a method to generate "good" SSL keys from "safe" GPG keys is really a way to generate "compromised" SSL keys from "unsafe" GPG keys.

It is a modern-day version of the old ploy where a fake detective comes and says: "here, your house is bugged, let me sanitize it for you", thus gaining your confidence and at the same time getting an excellent chance to install his own spying devices. You should watch him like a hawk.

On second thought, even if you follow the guy he may be clever enough to deploy spying devices even if you are watching him all the time. Or in our case: the GPG vulnerability may be subtle enough that it is hard to catch the attacker. I hope some really clever people are watching this story unfold.

(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds