Timeline for Safely decrypting an unsolicited/untrusted PGP message
Current License: CC BY-SA 3.0
11 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Feb 18, 2018 at 12:44 | history | tweeted | twitter.com/StackSecurity/status/965205284175204352 | ||
| Feb 17, 2018 at 22:34 | vote | accept | jamieweb | ||
| Feb 17, 2018 at 21:37 | comment | added | forest | @Pascal A simple uploader in PHP will be much, much harder to compromise (if written even remotely close to correctly) than GnuPG, which is a huge, complex beast parsing a number of complex formats in a memory unsafe language. Also I was assuming OP was talking about email anyway, but it's true that some email clients like Thunderbird have huge attack surfaces. | |
| Feb 17, 2018 at 10:34 | answer | added | Out of Band | timeline score: 1 | |
| Feb 17, 2018 at 10:00 | comment | added | Out of Band | @forest: Really? You'd be worried about being attacked by a security vulnerability report someone encrypted with PGP/GnuPG? Don't you think that if GnuPG poses a problem in the described context, then whatever process OP has in place to handle these reports is also susceptible to an attack that doesn't involve GnuPG? If OP is worried about shell scripts getting executed by mistake, then obviously there is a much more serious problem in the pipeline he uses. GnuPG / PGP aren't the main issue here. | |
| Feb 17, 2018 at 4:25 | answer | added | forest | timeline score: 4 | |
| Feb 17, 2018 at 4:12 | comment | added | forest | @Pascal Actually, GnuPG is rather hideous. It is not only sane, but very smart to be worried about this. | |
| Feb 17, 2018 at 1:48 | comment | added | multithr3at3d | If you're concerned about something messing with bash or the terminal, why not send the output to a file? | |
| Feb 17, 2018 at 1:24 | comment | added | symcbean | You always cat decrypted emails directly from the shell? Wow, that's hard-core. | |
| Feb 17, 2018 at 1:01 | comment | added | Out of Band | Unless there is a hideous bug in PGP / GnuPG nobody has discovered yet, your worries have no basis in fact. Attacking the decryption process of GPG messages doesn't seem promising to me at all. | |
| Feb 16, 2018 at 23:26 | history | asked | jamieweb | CC BY-SA 3.0 |