[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Using second gpg keyring may be misleading?

To: Georgi Guninski <guninski@xxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Using second gpg keyring may be misleading?
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
Date: Fri, 15 Jun 2012 21:46:37 +0000

Ah...  Very interesting.  Another example where "default trust" can be a bad 
thing (as we saw with Flame).

Sent from my iPad

On Jun 15, 2012, at 6:43 AM, "Georgi Guninski" <guninski@xxxxxxxxxxxx> wrote:

> On Thu, Jun 14, 2012 at 05:52:26PM +0000, Thor (Hammer of God) wrote:
>> What are you considering exploitable?  The untrusted/unverified "Master" key?
>> 
> 
> ubuntu fixed this out of paranoia:
> https://lists.ubuntu.com/archives/ubuntu-security-announce/2012-June/001721.html
> 
>> While it appears that a man-in-the-middle attacker cannot
>> exploit this, as a hardening measure this update adjusts apt-key to
>> validate all subkeys when checking for key collisions.
> 
> i would suppose this was exploitable while it was alive.
> 
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Using second gpg keyring may be misleading?
  - From: Georgi Guninski
- Re: [Full-disclosure] Using second gpg keyring may be misleading?
  - From: Thor (Hammer of God)
- Re: [Full-disclosure] Using second gpg keyring may be misleading?
  - From: Georgi Guninski

Prev by Date: [Full-disclosure] IObit Protected Folder Authentication Bypass
Next by Date: Re: [Full-disclosure] free speech - 9 yro bloggers are dangerous
Previous by thread: Re: [Full-disclosure] Using second gpg keyring may be misleading?
Next by thread: [Full-disclosure] 0A29-12-1 : Cross-Site Scripting vulnerabilities in Nagios XI < 2011R3.0
Index(es):
- Date
- Thread