|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Chris Wysopal (weld
vulnwatch.org)Date: Tue Sep 04 2001 - 17:33:59 CDT
-----summary: This announcement describes a practical attack on PGP. The
attack allows an attacker to make a public key appear under an invalid name in
the PGP keyring. The attacker can use this to forge signatures, and in the
right circumstances to read messages sent to that name. The attack is not a
'life-threatening danger', but can compromise the web of trust system. One
should check all keys one imports for unusual extra names.
---name:
PGP multiple user ID attack
---discovered by:
Sieuwert van Otterloo
---date:
september 4 2001
---Affected:
All versions of PGP after PGP 5.0 on all platforms (confirmed with PGP 7.0 on
Windows 98 an NT,
and PGP 6.0.2 on Win98)
---further info:
www.bluering.nl/pgp
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]