Delta Chat

2 weeks ago

Delta Chat
2 weeks ago

Relax 😎! GPG is not OpenPGP!

Yesterday, vulnerabilities were published gpg.fail but they don't affect #deltachat or other #chatmail clients because

A) We never used #gnupg for anything; we use the modern #rustlang #openpgp implementation @rpgp, security audited multiple times.

B) #openpgp is fine, as modernized in #RFC9580, which already warns against several #gpgfail issues (gpg didn't implement that spec)

Please spread the word that #gpg is not #openpgp ... Thanks! #39c3

gpg.fail

^gpg.fail

#gpg #openpgp #RustLang #deltachat #gnupg #chatmail #39c3 #rfc9580 #gpgfail @rPGP

This entry was edited (2 weeks ago)

in reply to Delta Chat

Sandro

in reply to Delta Chat 2 weeks ago

Where would I get GPG?

in reply to Sandro

Delta Chat

in reply to Sandro 2 weeks ago

@sandro gpg or gnupg is used in many Linux distros. It's a command line tool. You can install it via standard packaging tools.

@Sandro

in reply to Delta Chat

Sandro

in reply to Delta Chat 2 weeks ago

yeah, I know, but if opengpg is not vulnerable what other software are they then referring to? 😅😅😅

How was that proprietary version called? PGP?

in reply to Sandro

@sandro there is a long trail history how openpgp evolved. We didn't mean to fully educate about this 20+ years history, just highlight that modern #openpgp #rfc9580 and #rpgp is pretty fine. Nevertheless, rpgp authors will carefully look if anything in #gpgfail could be an issue. Details haven't been fully published yet.

#openpgp #rpgp #rfc9580 #gpgfail @Sandro

in reply to Delta Chat

caravantravellers 🌈

in reply to Delta Chat 2 weeks ago

Has Werner Koch (author of GnuPG) been informed? The site doesn't say which version(s) are affected.

in reply to Delta Chat

SnowBlind2005

in reply to Delta Chat 2 weeks ago

This is all being presented in extremely confusing manner.

If anyone is confused, multiple vulnerabilities were found in GPG. The author ignored them for several months, then posted a gas lighting message not to use a certain function instead of patching it. Get ready for the book length gas lighting response of all the other issues that were found.

in reply to SnowBlind2005

Delta Chat

in reply to SnowBlind2005 2 weeks ago

@SnowBlind2005 We just tried to note that so far we see no way how delta chat and it's end to end encryption guarantees would be affected by gpgfail. What is confusing about that?

@SnowBlind2005

in reply to Delta Chat

🌱🏴‍🅰️🏳️‍⚧️🐧📎 Ambiyelp

in reply to Delta Chat 2 weeks ago

Are you seeing distros or the gnuprojecct applying this patch?

#Security #GPG #GNUProject

#gpg #security #gnuproject

in reply to 🌱🏴‍🅰️🏳️‍⚧️🐧📎 Ambiyelp

Delta Chat

in reply to 🌱🏴‍🅰️🏳️‍⚧️🐧📎 Ambiyelp 2 weeks ago

some distros are discussing gpgfail but we are not engaged much in those discussions. Better ask other people of the author of gpgfail.

This entry was edited (2 weeks ago)

in reply to Delta Chat

Rebel Zhang

in reply to Delta Chat 2 weeks ago

OpenPGP is standard. GPG (GnuPG) is implementation.

in reply to Delta Chat

m_on_stair

in reply to Delta Chat 2 weeks ago

imo rpgp should be considered vulnerable until proven otherwise. some of the bugs mentioned are C-related but not nearly all.

in reply to m_on_stair

Delta Chat

in reply to m_on_stair 2 weeks ago

@m yes, rpgp folks are checking this in more detail. It's relatively certain, though, that deltachat's intentionally minimal usage of openpgp (and rpgp) is not touching the problematic code paths and issues identified in gpgfail. Give it a bit of time. There was no upfront disclosure of anything to rpgp folks, and it's Sunday in a see of holidays around, and #39c3 is still ongoing.

#39c3 @m_on_stair

in reply to Delta Chat

Jan

in reply to Delta Chat 2 weeks ago

Thanks for the pro-active reach out. Really appreciated.
I find "security audited multiple times" not very reassuring though, heard it to many times already...

Can you go a bit into detail why you think Deltachat (or its underlying library) is safe against the mentioned gpg.fail attacks?

in reply to Jan

Delta Chat

in reply to Jan 2 weeks ago

@jan once details are published, and #39c3 is over, well take another look. But note that #deltachat's usage of #openpgp is intentionally minimal. #Gpgfail is a lot about failures of signature verification, and parsing problems in the gpg c-implementation but #deltachat doesn't use these mechanisms or code at all. The @rpgp folks are still studying the details, and there might be issues, so maybe also follow them for more details. Again, this doesn't affect deltachat as things stand.

#openpgp #deltachat #39c3 #gpgfail @Jan @rPGP

in reply to Delta Chat

DD9JN

in reply to Delta Chat 1 week ago

Hi,

For those interested we have a master ticket dev.gnupg.org/T7900 which lists all the claimed bugs. Actually there is only one major bug (T7906 - armor parser) which was fixed early November. T7901 requires a 2nd pre-image attack on SHA1- which does nor yet exist. T7907 (plaintext recovery) is simply untrue; see dev.gnupg.org/T7907#210501

BTW, of course we sign our commits and most of us even use hardware tokens.

- wk@gnupg.org

Login

^{dev.gnupg.org}

⇧

Delta Chat 2 weeks ago • •

Delta Chat
2 weeks ago