GnuPG public key vulnerability?
Fraser Tweedale
frase at frase.id.au
Wed Nov 1 03:00:36 CET 2017
On Tue, Oct 31, 2017 at 08:10:45PM -0400, murphy wrote:
> I got a signed notification from facebook (good signature, enigmail)
> that claims my GnuPG generated public key has a "recently disclosed
> vulnerability". This is the full text:
>
> We have detected that the OpenPGP key on your Facebook profile may be
> susceptible to attacks due to a recently disclosed vulnerability. We
> recommend that you revoke and replace your public key immediately to
> minimize the risk to your encrypted communications. You can update your
> public key by visiting your Security and Login settings. To help reduce
> the risk of your key being attacked, we have set the privacy of your
> potentially vulnerable public key on your profile to "Only Me" to limit
> further distribution. We will continue to encrypt your notification
> emails using this OpenPGP public key.
>
> This is doubly weird since the private/public key was generated on a
> Yubikey-4 nano and it is safe at home. Does anyone know what this may
> be about?
>
Some versions of the YubiKey 4 were affected by the ROCA
vulnerability, which caused weak keys to be generated.
https://www.yubico.com/support/security-advisories/ysa-2017-01/
https://crocs.fi.muni.cz/public/papers/rsa_ccs17
I would say that is what the email is about.
Cheers,
Fraser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171101/d18e889f/attachment.sig>
More information about the Gnupg-users
mailing list