Delta Chat (39c3)

6 hours ago

Delta Chat (39c3)
6 hours ago

Relax 😎! GPG is not OpenPGP!

Yesterday, vulnerabilities were published gpg.fail but they don't affect #deltachat or other #chatmail clients because

A) We never used #gnupg for anything; we use the modern #rustlang #openpgp implementation @rpgp, security audited multiple times.

B) #openpgp is fine, as modernized in #RFC9580, which already warns against several #gpgfail issues (gpg didn't implement that spec)

Please spread the word that #gpg is not #openpgp ... Thanks! #39c3

gpg.fail

^gpg.fail

#gpg #openpgp #RustLang #deltachat #gnupg #chatmail #39c3 #rfc9580 #gpgfail @rPGP

This entry was edited (6 hours ago)

in reply to Delta Chat (39c3)

Sandro

in reply to Delta Chat (39c3) 6 hours ago

Where would I get GPG?

in reply to Sandro

Delta Chat (39c3)

in reply to Sandro 6 hours ago

@sandro gpg or gnupg is used in many Linux distros. It's a command line tool. You can install it via standard packaging tools.

@Sandro

in reply to Delta Chat (39c3)

Sandro

in reply to Delta Chat (39c3) 6 hours ago

yeah, I know, but if opengpg is not vulnerable what other software are they then referring to? 😅😅😅

How was that proprietary version called? PGP?

in reply to Sandro

@sandro there is a long trail history how openpgp evolved. We didn't mean to fully educate about this 20+ years history, just highlight that modern #openpgp #rfc9580 and #rpgp is pretty fine. Nevertheless, rpgp authors will carefully look if anything in #gpgfail could be an issue. Details haven't been fully published yet.

#openpgp #rpgp #rfc9580 #gpgfail @Sandro

Unknown parent

Delta Chat (39c3)

Unknown parent 4 hours ago

@jan once details are published, and #39c3 is over, well take another look. But note that #deltachat's usage of #openpgp is intentionally minimal. #Gpgfail is a lot about failures of signature verification, and parsing problems in the gpg c-implementation but #deltachat doesn't use these mechanisms or code at all. The @rpgp folks are still studying the details, and there might be issues, so maybe also follow them for more details. Again, this doesn't affect deltachat as things stand.

#openpgp #deltachat #39c3 #gpgfail @Jan @rPGP

Unknown parent

Delta Chat (39c3)

Unknown parent 4 hours ago

@m yes, rpgp folks are checking this in more detail. It's relatively certain, though, that deltachat's intentionally minimal usage of openpgp (and rpgp) is not touching the problematic code paths and issues identified in gpgfail. Give it a bit of time. There was no upfront disclosure of anything to rpgp folks, and it's Sunday in a see of holidays around, and #39c3 is still ongoing.

#39c3 @m_on_stair

in reply to Delta Chat (39c3)

caravantravellers 🌈

in reply to Delta Chat (39c3) 2 hours ago

Has Werner Koch (author of GnuPG) been informed? The site doesn't say which version(s) are affected.

in reply to Delta Chat (39c3)

SnowBlind2005

in reply to Delta Chat (39c3) 31 minutes ago

This is all being presented in extremely confusing manner.

If anyone is confused, multiple vulnerabilities were found in GPG. The author ignored them for several months, then posted a gas lighting message not to use a certain function instead of patching it. Get ready for the book length gas lighting response of all the other issues that were found.

⇧

Delta Chat (39c3) 6 hours ago • •

Delta Chat (39c3)
6 hours ago