Activity for Andrew Gallagher

  • Andrew Gallagher Andrew Gallagher posted a comment on ticket #838

    Malte, MDC failures should be errors because MDC prevents an attacker decrypting your message by modifying it in transit and watching to see what happens when you read it. In OpenPGP this has up to now been mostly theoretical, but recently there was a practical attack published that works against both PGP and SMIME messages in HTML capable mail clients. Iff you have HTML display turned off, it should be relatively safe to try decrypting with the flag “—ignore-mdc-error”. But at root, your correspondent’s...

  • Andrew Gallagher Andrew Gallagher posted a comment on ticket #838

    This is not intended to be foolproof, just a backstop sanity test. You can force the language to C when invoking GPG. The output is not normally displayed to the user. The fix has already been pushed to master in GPG, so we only need to worry about historical versions, not all new ones.

  • Andrew Gallagher Andrew Gallagher modified a comment on ticket #838

  • Andrew Gallagher Andrew Gallagher posted a comment on ticket #838

    Patrick: From your reply to Robert yesterday: The problem is that gpg doesn't say anything. I would expect a DECRYPTION_FAILED message here: <snip> [GNUPG:] DECRYPTION_OKAY gpg: WARNING: message was not integrity protected [GNUPG:] END_DECRYPTION So it did complain, just not as loudly as it should have. :-) A

  • Andrew Gallagher Andrew Gallagher posted a comment on ticket #838

    Patrick: From your reply to Robert yesterday: The problem is that gpg doesn't say anything. I would expect a DECRYPTION_FAILED message here: <snip> [GNUPG:] DECRYPTION_OKAY gpg: WARNING: message was not integrity protected [GNUPG:] END_DECRYPTION So it did complain, just not as loudly as it should have. ;-) A On 15/05/18 12:04, Patrick Brunschwig wrote: How would you suggest that I can detect MDC failures if GnuPG doesn't tell me so ... ? [bugs:#838] https://sourceforge.net/p/enigmail/bugs/838/ Fail...

  • Andrew Gallagher Andrew Gallagher created ticket #838

    Fail on GPG integrity check warnings

  • Andrew Gallagher Andrew Gallagher created ticket #21

    SEVERE: allow_user_owned_authorized_keys_file permits privilege escalation

1