|
|
Log in / Subscribe / Register

cleartext problems known for 30 years

cleartext problems known for 30 years

Posted Jan 22, 2026 11:44 UTC (Thu) by dd9jn (✭ supporter ✭, #4459)
Parent article: Responses to gpg.fail

Hi!

I already mention this in my article on gnupg.org: The problems with cleartext signatures are old and should thus been known to hackers and implementers of MUA and other tools which provide a signature status. I remember the time I followed the Mutt ML and its IRC channel nearly 30 years ago. In those pre-PGP/MIME time it was kind of a game to find clever ways to circumvent the cleartext signature verification. Most bug reports from the 39C3 use the same pattern. It is unfortunate that useful knowledge obviously gets lost over the decades.

to post comments

cleartext problems known for 30 years

Posted Jan 22, 2026 13:36 UTC (Thu) by yourfate (subscriber, #175466) [Link] (2 responses)

It seems like it should have been fixed / removed within the last 30 years then.

cleartext problems known for 30 years

Posted Jan 22, 2026 15:07 UTC (Thu) by dd9jn (✭ supporter ✭, #4459) [Link] (1 responses)

30 years ago it could not be removed because PGP/MIME did not yet exist or was only implemented by Mutt and not by the back then more common MUAs (e.g. Pine). Or think of IRC and BBS.

20 years ago PGP/MIME was widely used but cleartext was still in active use. Also at that time it was common to sign manifest files using cleartext signatures. If verified properly, this is no problem. However, still today not everyone implementing such a scheme gets it right. I have doubts that this will get better by switching to detached signatures.

OTOH, we should be glad that meanwhile most projects know about the importance of signatures for the software ecosystem. Well, most - when I need to update supporting libraries used by Gpg4win, I stumble upon projects with no way to verify that the download is authentic (e.g. libpng). As an attacker I would start there, updating image libraries is often required due to their complexity and thus bug proneness.

cleartext problems known for 30 years

Posted Jan 25, 2026 17:06 UTC (Sun) by SLi (subscriber, #53131) [Link]

I think if Fedora gets it wrong in their release process, that should demonstrate that there's way too much confidence in people knowing to not use it this way.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds