Page MenuHome GnuPG

cnd (Chris)
User

Projects

User does not belong to any projects.

User Details

User Since
Mar 27 2017, 4:47 PM (404 w, 3 d)
Availability
Available

Recent Activity

Nov 17 2015

cnd raised the priority of T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries from Wishlist to High.
Nov 17 2015, 6:10 PM · Feature Request, gpgweb
cnd reopened T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries as "Open".
Nov 17 2015, 6:10 PM · Feature Request, gpgweb
cnd added a project to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries: Bug Report.
Nov 17 2015, 6:10 PM · Feature Request, gpgweb
cnd removed a project from T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries: Feature Request.
Nov 17 2015, 6:10 PM · Feature Request, gpgweb
cnd added a comment to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries.

Bernhard - this is an issue of security, it is not a place for you to
exercise corruption by using your influence over administrators to shut down
opinions you disagree with.

You have made a statement that I am absolutely confident that no security
professional will support: "We will keep the non-TLS access, because there
are some people that will lose access otherwise.". Aside form this
statement being almost certainly totally untrue, this is nevertheless NOT a
valid reason to continue to distribute a security product over known
compromiseable channels. If anyone cannot get GPG because of TLS (which I
doubt), that is NOT a reason to for everyone to get GPG over an insecure
channel. Like I've said before, security-downgrade attacks are the most
effective weapon used by adversaries. Do not make is so easy for them.

Let me suggest a resolution to this problem, since we seem to be at a
stalemate:

Let us pick a security professional who is known and trusted. You can write
down your case for why you do not want to use TLS, and I will write down my
case why I want TLS to be mandatory, and we will each give our cases to this
professional.

If they pick your case, I will let you close this ticket and I will not come
back.

If they pick my case, you will resign from the GnuPG project and not come
back.

Deal?

Nov 17 2015, 6:10 PM · Feature Request, gpgweb

Nov 13 2015

cnd added a comment to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries.

This is still open: http://files.gpg4win.org/gpg4win-2.2.6.exe
So this stays open: T1858

Nov 13 2015, 10:18 AM · Feature Request, gpgweb
cnd added a project to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries: Bug Report.
Nov 13 2015, 10:18 AM · Feature Request, gpgweb
cnd reopened T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries as "Open".
Nov 13 2015, 10:18 AM · Feature Request, gpgweb
cnd removed a project from T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries: Feature Request.
Nov 13 2015, 10:18 AM · Feature Request, gpgweb
cnd raised the priority of T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries from Wishlist to Unbreak Now!.
Nov 13 2015, 10:18 AM · Feature Request, gpgweb
cnd added a comment to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries.

Mate - it's this simple. For as long as you're distributing a security
product over plaintext insecure channels, this bug needs to stay open.

TLS will NOT prevent anyone downloading this, no matter how hard you cling
to that irrational idea. If you work for someone who is exploiting this
attack vector SHAME ON YOU!!!

Stop wasting everyones time. If you don't want to fix this, go away and do
something else, stop preventing someone who *can* fix it from actually doing
that by messing with this ticket.

Nov 13 2015, 8:51 AM · Feature Request, gpgweb
cnd raised the priority of T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries from Wishlist to Unbreak Now!.
Nov 13 2015, 8:51 AM · Feature Request, gpgweb
cnd added projects to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries: Info Needed, Bug Report.
Nov 13 2015, 8:51 AM · Feature Request, gpgweb
cnd removed a project from T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries: Feature Request.
Nov 13 2015, 8:51 AM · Feature Request, gpgweb
cnd reopened T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries as "Open".
Nov 13 2015, 8:51 AM · Feature Request, gpgweb

Nov 12 2015

cnd reopened T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries as "Open".
Nov 12 2015, 4:50 PM · Feature Request, gpgweb
cnd added a comment to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries.

"We will keep the non-TLS access, because there are some people
that will lose access otherwise."

LOL

You know that GnuPG is a security product, right?

I challenge your assumption. Nobody will loose access, but securing
downloads will make EVERYONE mass-loads safer.

Heck dude - there's this search engine, maybe you've heard of it? It's
called GOOGLE. They make you use this thing, maybe you've heard of it too?
It's called TLS.

Just get rid of the unsafe stuff Bernhard, this isn't a game, peoples lives
really do balance on this stuff. Start acting responsibly.

Nov 12 2015, 4:50 PM · Feature Request, gpgweb
cnd reopened T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries as "Open".
Nov 12 2015, 12:30 PM · Feature Request, gpgweb
cnd added a comment to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries.

Sounds like a plan!

Get rid of all the insecure delivery mechanisms ( e.g.
http://files.gpg4win.org/gpg4win-2.2.6.exe ), which you can now safely do
because you've got secure ones (well done), then (and only then) you can
close this bug!

Nov 12 2015, 12:30 PM · Feature Request, gpgweb
cnd added a comment to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries.

For as long as easy MitM can substitute traffic, signing the EXE is a
pointless waste of time.

Nov 12 2015, 10:22 AM · Feature Request, gpgweb
cnd reopened T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries as "Open".
Nov 12 2015, 10:21 AM · Feature Request, gpgweb
cnd added a project to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries: Bug Report.
Nov 12 2015, 10:21 AM · Feature Request, gpgweb
cnd raised the priority of T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries from Normal to Unbreak Now!.
Nov 12 2015, 10:21 AM · Feature Request, gpgweb
cnd added a comment to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries.

This is still open: http://files.gpg4win.org/gpg4win-2.2.6.exe
So this stays open: T1858

Nov 12 2015, 10:21 AM · Feature Request, gpgweb

Sep 11 2015

cnd added a project to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries: Bug Report.
Sep 11 2015, 11:56 AM · Feature Request, gpgweb
cnd reopened T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries as "Open".
Sep 11 2015, 11:56 AM · Feature Request, gpgweb
cnd added a comment to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries.

This is still open: http://files.gpg4win.org/gpg4win-2.2.6.exe
So this stays open: T1858

You said: "TAKE THIS TO A MAILING LIST"
You then said: "I have see your post."
You are behaving with extreme deception and dishonesty.
Leave this issue to someone else - your emotions have destroyed your
objectivity.

Sep 11 2015, 11:56 AM · Feature Request, gpgweb
cnd raised the priority of T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries from Normal to Unbreak Now!.
Sep 11 2015, 11:56 AM · Feature Request, gpgweb
cnd added a comment to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries.

Stop closing this bug.
I did take this to the list.
You or whoever runs/moderates it is blocking my post.

DO NOT CLOSE THIS until such time as windows users are prevented from
getting your security solution over totally insecure channels.

This is not a game you know - it's an almost absolute certainty that your
careless security attitude will GET PEOPLE KILLED.

Let the person who fixes the insecure distribution problem be the one who
closes this bug. It is not appropriate that your ego needs to win some
puerile argument at the expense of other peoples safety and lives.

Sep 11 2015, 9:03 AM · Feature Request, gpgweb
cnd reopened T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries as "Open".
Sep 11 2015, 9:03 AM · Feature Request, gpgweb
cnd added a project to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries: Bug Report.
Sep 11 2015, 9:03 AM · Feature Request, gpgweb
cnd raised the priority of T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries from Normal to Unbreak Now!.
Sep 11 2015, 9:03 AM · Feature Request, gpgweb

Sep 10 2015

cnd reopened T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries as "Open".
Sep 10 2015, 5:02 PM · Feature Request, gpgweb
cnd added a comment to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries.

I checked. Here are some inconvenient "facts" for you:

http://gpg4win.org/download.html
http://files.gpg4win.org/gpg4win-2.2.6.exe
http://files.gpg4win.org/gpg4win-2.2.6.exe.sig

https://www.gnupg.org/download/mirrors.html *
There is NOT EVEN ONE SINGLE SSL LINK on the above page!!!!!

Dude - you need to take yourself off this project. If you are more
interested in winning some stupid pride fight than protecting users of a
security product, you deserve no place on the team.

Let me quote YOUR OWN WORDS back to you:
" Instead of providing a not very secure HTTPS access to the files... "

You work on a security product, and you expect us to accept that because you
somehow believe the same security that protects every single other thing on
the web is "not very secure", that it's all fine and hunky-dory for you to
distribute yours over PLAIN UNAUTHENTICATED TEXT, and to expect us to USE
this unauthenticated code to verify it's own sigantures, which also come the
same way (http://files.gpg4win.org/gpg4win-2.2.6.exe.sig)

Here's some more facts - just one tiny list...

ftp://ftp.gnupg.ca/
ftp://ftp.ring.gr.jp/pub/net/gnupg/
http://www.ring.gr.jp/pub/net/gnupg/
ftp://gd.tuwien.ac.at/privacy/gnupg/
http://gd.tuwien.ac.at/privacy/gnupg/
ftp://mirrors.dotsrc.org/gcrypt/
http://mirrors.dotsrc.org/gcrypt/
ftp://ftp.jyu.fi/pub/crypt/gcrypt/
ftp://mirror.cict.fr/gnupg/

http://artfiles.org/gnupg.org
ftp://ftp.franken.de/pub/crypt/mirror/ftp.gnupg.org/gcrypt/

ftp://ftp.freenet.de/pub/ftp.gnupg.org/gcrypt/

http://ftp.heanet.ie/mirrors/ftp.gnupg.org/gcrypt/

...

and the list snakes on

Do not close this bug. Your emotions are too heated to be rational now.

Sep 10 2015, 5:02 PM · Feature Request, gpgweb
cnd added a project to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries: Bug Report.
Sep 10 2015, 5:02 PM · Feature Request, gpgweb
cnd raised the priority of T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries from Normal to Unbreak Now!.
Sep 10 2015, 5:02 PM · Feature Request, gpgweb
cnd reopened T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries as "Open".
Sep 10 2015, 12:14 AM · Feature Request, gpgweb
cnd raised the priority of T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries from Normal to Unbreak Now!.
Sep 10 2015, 12:14 AM · Feature Request, gpgweb
cnd added a project to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries: Bug Report.
Sep 10 2015, 12:14 AM · Feature Request, gpgweb
cnd added a comment to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries.

gpg itself, and all it's SHA sums, and all your keys, are being distributed
over unauthenticated plain-text channels which are 100% vulnerable to
undetectable modification in transit.

There is NO EXCUSE for any security product to be distributed in such a
blatantly irresponsible way.

EVERY PLAINTEXT ENDPOINT NEEDS TO BE SHUT DOWN

Sep 10 2015, 12:14 AM · Feature Request, gpgweb

Mar 4 2015

cnd reopened T1857: broken SSL certificate in bug tracking system as "Open".
Mar 4 2015, 12:58 PM
cnd added a project to T1857: broken SSL certificate in bug tracking system: Bug Report.
Mar 4 2015, 12:58 PM
cnd added a comment to T1857: broken SSL certificate in bug tracking system.

You stated that you deliberately used a self-signed SSL cert instead of
buying one, because, in your own words, "The X.509 system is broken beyond
repair."

That is a political reason, and is has reduced user security. Using non-
working SSL reduces security - you do know that, don't you?

The *reason* security gets "broken beyond repair", is because too many
people change mistakes into "notbug" and never fix stuff.

Bite your tongue, swallow your pride, spend the $3.50 and just buy a
certificate mate.

This conversation is going to get read by other people in future, you decide
next what you want them to think about you.

Mar 4 2015, 12:58 PM
cnd raised the priority of T1857: broken SSL certificate in bug tracking system from Normal to Unbreak Now!.
Mar 4 2015, 12:58 PM

Mar 3 2015

cnd renamed T1857: broken SSL certificate in bug tracking system from broken SSL certificate in bug tyracking system to broken SSL certificate in bug tracking system.
Mar 3 2015, 6:35 PM
cnd added a comment to T1857: broken SSL certificate in bug tracking system.

In what other ways have you "on purpose" reduced the security of your users
for tin-foil-hat political reasons I wonder?

Buy the cert. It's, like, $3.50 (comodo), or if you really want to splurge,
$49 for unlimited number of domains and SANs and wildcards and whatever else
tickles your fancy (startssl)

Mar 3 2015, 6:35 PM

Mar 1 2015

cnd added a project to T1858: Wish for additional TLS access to GnuPG and Gpg4win binaries: Bug Report.
Mar 1 2015, 4:13 AM · Feature Request, gpgweb
cnd added a comment to T1857: broken SSL certificate in bug tracking system.

Mar 1 2015, 4:00 AM
cnd added a project to T1857: broken SSL certificate in bug tracking system: Bug Report.
Mar 1 2015, 4:00 AM

Dec 20 2013

cnd added a comment to T1588: GnuPG side channel attack, RSA4096 cracked via acoustic cryptanalysis.

You need to perform the bigmath modexp routines in constant time, the same as the
smartcard people do to stop key theft via power usage observation.

Dec 20 2013, 3:33 AM · Mistaken, Bug Report, gnupg
cnd set External Link to http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf on T1588: GnuPG side channel attack, RSA4096 cracked via acoustic cryptanalysis.
Dec 20 2013, 3:30 AM · Mistaken, Bug Report, gnupg
cnd set Version to Undisclosed on T1588: GnuPG side channel attack, RSA4096 cracked via acoustic cryptanalysis.
Dec 20 2013, 3:30 AM · Mistaken, Bug Report, gnupg
cnd added projects to T1588: GnuPG side channel attack, RSA4096 cracked via acoustic cryptanalysis: gnupg, Bug Report.
Dec 20 2013, 3:30 AM · Mistaken, Bug Report, gnupg