Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <550E441A.5040007@gmail.com>
Date: Sun, 22 Mar 2015 00:24:58 -0400
From: Daniel Micay <danielmicay@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE for Kali Linux

> Windows users are also left out without this: they don't have GPG, and
> they don't have a secure way to obtain GPG.

http://www.gpg4win.org/
http://sourceforge.net/projects/msys2/

Not even HTTPS *without* HSTS + HPKP. Gpg4win did get part of the way
there but didn't grab a free certificate from GlobalSign or StartSSL.

The official gnupg site uses ftp with... GPG signatures. I guess you're
supposed to validate that the GPG installer you've downloaded is valid
by running the GPG installer? :P

https://www.gnupg.org/download/

Is there actually a way for a Windows user to obtain it securely?

GPG simply doesn't work here, even if you assume that users are going to
take extra steps to verify the download. You have to rely on HTTPS (or
HKPS) to obtain the GPG key anyway, so I don't see the point in pushing
for it here. It's fantastic for package signing, sure :).


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.