|
|
Log in / Subscribe / Register

cleartext problems known for 30 years

cleartext problems known for 30 years

Posted Jan 22, 2026 15:07 UTC (Thu) by dd9jn (✭ supporter ✭, #4459)
In reply to: cleartext problems known for 30 years by yourfate
Parent article: Responses to gpg.fail

30 years ago it could not be removed because PGP/MIME did not yet exist or was only implemented by Mutt and not by the back then more common MUAs (e.g. Pine). Or think of IRC and BBS.

20 years ago PGP/MIME was widely used but cleartext was still in active use. Also at that time it was common to sign manifest files using cleartext signatures. If verified properly, this is no problem. However, still today not everyone implementing such a scheme gets it right. I have doubts that this will get better by switching to detached signatures.

OTOH, we should be glad that meanwhile most projects know about the importance of signatures for the software ecosystem. Well, most - when I need to update supporting libraries used by Gpg4win, I stumble upon projects with no way to verify that the download is authentic (e.g. libpng). As an attacker I would start there, updating image libraries is often required due to their complexity and thus bug proneness.

to post comments

cleartext problems known for 30 years

Posted Jan 25, 2026 17:06 UTC (Sun) by SLi (subscriber, #53131) [Link]

I think if Fedora gets it wrong in their release process, that should demonstrate that there's way too much confidence in people knowing to not use it this way.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds