Bug 220492

Summary: security/gnupg defaults are mad
Product: Ports & Packages Reporter: julien
Component: Individual Port(s)Assignee: Adam Weinberger <adamw>
Status: Closed Not Enough Information    
Severity: Affects Only Me Flags: bugzilla: maintainer-feedback? (adamw)
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   

Description julien 2017-07-05 17:10:12 UTC 
I know the problem is not exactly RSA but a peculiar implementation

Still
http://thehackernews.com/2017/07/gnupg-libgcrypt-rsa-encryption.html


Default of PGP? RSA 1024.
Default of PGP for fingerprint SHA1

Changing it is a PITA

As an experience I tried to use SHA256/Curve259.

Try it yourself, and beat me if you find it intuitive after a 20minutes googling the internet to go in full expert to choose a very strong algo in the middle of NIST....

This software MIGHT be the best one in the world when it comes to cryptography, when it comes to the User Interface even for beardy sysadmins that enjoy CLI is a PAIN.

Leading us by default on the wrong choices.

I am really not an expert, but an exploit actually usable on RSA or SHA1 might be discovered. And this day, should not we have a decent interface to change our default in less than 1 hour (imagine the web is down)?

If our defaults are broken, isn't there a risk bigger that people exchange with the illusion of safety data that are unsafe?

My proposition is to remove GpG to try to look cooler than openBSD.

It will probably surprise them, and we all hate using gpg anyway.
Comment 1 Adam Weinberger freebsd_committer freebsd_triage 2017-07-06 00:23:35 UTC 
Hi Julien,

I'm not understanding what it is you're proposing here. The libgcrypt vulnerability was fixed in libgcrypt-1.7.8, which is already in the ports tree.
Comment 2 Adam Weinberger freebsd_committer freebsd_triage 2017-10-09 12:57:19 UTC 
No response from submitter, closing out.