maxtaco
commented
8 years ago Thanks for this bug report. This bug too is in our issue tracker. The correct behavior was mistakenly dropped. I will attach this issue to our Jira ticket
On Sunday, November 29, 2015, Paul Pearce notifications@github.com wrote:
A common workflow is bootstraping some secure channel over an insecure channel. This may work like:
- Hey my OTR signature is "PAULS_SIGNATURE". Here I signed it. : echo "PAULS_SIGNATURE" | keybase pgp sign
- Other party takes the blob and runs "keybase pgp verify" on it. They see: "▶ NOTICE Signature verified. Signed by pearce 7 seconds ago (2015-11-29 12:56:27 -0800 PST)." and thinks everything is good.
Now the problem here is you have no idea WHAT you just verified. An attacker in control of the insecure medium could replay a different message that would also verify OK. With the existing flow the only way to do this is to both 'keybase pgp decrypt' and 'keybase pgp verify' separately. That's not ideal because the message could be swapped via the insecure medium in between those actions. The verify -> echoing of what was verified should be atomic WRT the content loaded (it should be read in from stdin / disk once).
— Reply to this email directly or view it on GitHub https://github.com/keybase/client/issues/1413.
A common workflow is bootstraping some secure channel over an insecure channel. This may work like:
Now the problem here is you have no idea WHAT you just verified. An attacker in control of the insecure medium could replay a different message that would also verify OK. With the existing flow the only way to do this is to both 'keybase pgp decrypt' and 'keybase pgp verify' separately. That's not ideal because the message could be swapped via the insecure medium in between those actions. The verify -> echoing of what was verified should be atomic WRT the content loaded (it should be read in from stdin / disk once).