
Decades-old GnuPG bug allowed hackers to spoof just about anyone’s signature - mikece
https://arstechnica.com/information-technology/2018/06/decades-old-pgp-bug-allowed-hackers-to-spoof-just-about-anyones-signature/
======
tedunangst
[https://news.ycombinator.com/item?id=17309987](https://news.ycombinator.com/item?id=17309987)

------
jchanimal
Can someone explain how bad this is in multiples of Heartbleed? Any big time
automated processes with decades of dubious history now, etc?

~~~
jerf
It's difficult to be precise, but I'd bid it out as a _minimum_ of 6 orders of
magnitude less, and if someone wanted to bid out 8 or 9 I wouldn't fight them.

It's not a zero-impact issue, but there's so many differences between this and
Heartbleed that it just can't be that large. For one thing, there's several
orders of magnitude fewer users of GPG than SSL. Then you need a vulnerable
configuration. Then you need to have been exploited. Those three things
multiply out to quite a few orders of magnitude.

------
exabrial
Sorry to be pedantic, but it appears to be a bug in GPG, not the PGP spec.

~~~
Boulth
PGP is a trademark currently held by Symantec:
[https://www.symantec.com/about/legal/trademark-
policies](https://www.symantec.com/about/legal/trademark-policies)

The spec is OpenPGP and both PGP and GPG implement it:
[https://tools.ietf.org/html/rfc4880](https://tools.ietf.org/html/rfc4880)

~~~
exabrial
That is even more delightfully pedantic (and I learned something)

