Here’s an interesting dilemma: hackers taking advantage of an encryption bug to insert information that will be bypassed by email filters. This is exactly what can occur when it comes to GNU Privacy Guard. Through taking advantage of a bug through the signature, anyone can be able to insert text and the like to make it all look as if it is part of the signature.

A problem related to a widely used open-source cryptography technology could let miscreants tamper with digitally signed and encrypted emails.

The problem lies in how certain email applications display messages signed using the GNU Privacy Guard, also known as GnuPG and GPG, the GnuPG group said in a security alert on Tuesday. It may not be possible to identify which part of a message is actually signed if GPG is not used correctly, it said.

“It is possible to insert additional text before or after a signed, or signed and encrypted, OpenPGP message and make the user believe that this additional text is also covered by the signature,” according to the alert.[more]

Tags: Bugs, Encryption