A critical security bug in tarsnap
A critical security bug in tarsnap
[Security] Posted Jan 19, 2011 14:30 UTC (Wed) by corbet
The author of tarsnap ("online backups for the truly paranoid") has sent
out an
advisory describing a "critical" security bug in versions 1.0.22
through 1.0.27. "It may be possible for me, Amazon, or US government
agencies with access to Amazon's datacenters to decrypt data stored with
those versions of Tarsnap. This is an absolutely unacceptable compromise of
Tarsnap's security principles, and I sincerely apologize to everyone
affected.
" The posting describes how to respond to the problem and
is an interesting discussion of how easily things can go wrong in
security-related code.