SigSpoof: Difference between revisions

Content deleted Content added

Inline

Revision as of 01:18, 10 September 2018

SigSpoof is a family of security vulnerabilities that affected the software package GNU Privacy Guard ("GnuPG") for decades.^[1] Some other software packages that make use of GnuPG were also affected, such as Pass.^[2]

In un-patched versions of affected software, SigSpoof attacks allow cryptographic signatures to be convincingly spoofed, under certain circumstances.^[1]^[3]^[4]^[2]^[5] This potentially enables a wide range of subsidiary attacks to succeed.^[1]^[3]^[4]^[2]^[5]

According to Marcus Brinkmann, who discovered the vulnerabilities, the existence of the SigSpoof vulnerabilities, and the fact that they were present in the wild for so long, throws into question the integrity of past emails, "backups, software updates, ... and source code in version control systems like Git."^[1]

References

^ ^a ^b ^c ^d "Decades-old PGP bug allowed hackers to spoof just about anyone's signature".
^ ^a ^b ^c "Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug".
^ ^a ^b "SigSpoof: Signaturen fälschen mit GnuPG - Golem.de".
^ ^a ^b Security, heise. "Enigmail und GPG Suite: Neue Mail-Plugin-Versionen schließen GnuPG-Lücke". Security.
^ ^a ^b "20 Jahre alter Fehler entdeckt: PGP-Signaturen ließen sich einfach fälschen - derStandard.at". DER STANDARD.

This computing article is a stub. You can help Wikipedia by expanding it.

[ars-1] "Decades-old PGP bug allowed hackers to spoof just about anyone's signature".

[reg-2018-06-19-2] "Pass gets a fail: Simple Password Store suffers GnuPG spoofing bug".

[golem-3] "SigSpoof: Signaturen fälschen mit GnuPG - Golem.de".

[heise-4] Security, heise. "Enigmail und GPG Suite: Neue Mail-Plugin-Versionen schließen GnuPG-Lücke". Security.

[standard-5] "20 Jahre alter Fehler entdeckt: PGP-Signaturen ließen sich einfach fälschen - derStandard.at". DER STANDARD.

[1]

[2]

[3]

[4]

[5]

@@ Line 1: / Line 1: @@
 '''SigSpoof''' is a family of [[Vulnerability (computing)|security vulnerabilities]] that affected the software package [[GNU Privacy Guard]] ("GnuPG") for decades.<ref name="ars"/> Some other software packages that make use of GnuPG were also affected, such as [[Pass (software)|Pass]].<ref name="reg-2018-06-19"/>
-In unpatched versions of affected software, SigSpoof attacks allow [[cryptographic signature]]s to be convincingly spoofed, under certain circumstances.<ref name="ars"/><ref name="golem"/><ref name="heise"/><ref name="reg-2018-06-19"/><ref name="standard"/> This potentially enables a wide range of subsidiary attacks to succeed.<ref name="ars"/><ref name="golem"/><ref name="heise"/><ref name="reg-2018-06-19"/><ref name="standard"/>
+In un-[[Patch_(computing)|patch]]ed versions of affected software, SigSpoof attacks allow [[cryptographic signature]]s to be convincingly spoofed, under certain circumstances.<ref name="ars"/><ref name="golem"/><ref name="heise"/><ref name="reg-2018-06-19"/><ref name="standard"/> This potentially enables a wide range of subsidiary attacks to succeed.<ref name="ars"/><ref name="golem"/><ref name="heise"/><ref name="reg-2018-06-19"/><ref name="standard"/>
-According to Marcus Brinkmann, who discovered the vulnerabilities, the possibility that such attacks may have succeeded throws into question the integrity of past emails, "backups, software updates, ... and source code in version control systems like [[Git (software)|Git]]."<ref name="ars"/>
+According to Marcus Brinkmann, who discovered the vulnerabilities, the existence of the SigSpoof vulnerabilities, and the fact that they were present in the wild for so long, throws into question the integrity of past emails, "backups, software updates, ... and source code in version control systems like [[Git (software)|Git]]."<ref name="ars"/>
 ==References==