Date: Wed, 05 Jul 2017 17:10:12 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 220492] security/gnupg defaults are mad Message-ID: <bug-220492-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D220492 Bug ID: 220492 Summary: security/gnupg defaults are mad Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: adamw@FreeBSD.org Reporter: julien@tayon.net Assignee: adamw@FreeBSD.org Flags: maintainer-feedback?(adamw@FreeBSD.org) I know the problem is not exactly RSA but a peculiar implementation Still http://thehackernews.com/2017/07/gnupg-libgcrypt-rsa-encryption.html Default of PGP? RSA 1024. Default of PGP for fingerprint SHA1 Changing it is a PITA As an experience I tried to use SHA256/Curve259. Try it yourself, and beat me if you find it intuitive after a 20minutes googling the internet to go in full expert to choose a very strong algo in = the middle of NIST.... This software MIGHT be the best one in the world when it comes to cryptogra= phy, when it comes to the User Interface even for beardy sysadmins that enjoy CL= I is a PAIN. Leading us by default on the wrong choices. I am really not an expert, but an exploit actually usable on RSA or SHA1 mi= ght be discovered. And this day, should not we have a decent interface to change our default in less than 1 hour (imagine the web is down)? If our defaults are broken, isn't there a risk bigger that people exchange = with the illusion of safety data that are unsafe? My proposition is to remove GpG to try to look cooler than openBSD. It will probably surprise them, and we all hate using gpg anyway. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-220492-13>