Author: Troy Benjegerdes 2014-03-23 22:12:21
Published on: 2014-03-23T22:12:21+00:00
On 22nd March 2014, Mike Hearn cautioned that fake PGP keys are being produced by unknown sources to sign popular pieces of crypto software, which may lead to a MITM attack appearing genuine. He urged users of PGP to verify their downloads and ensure they are using the correct key. It is probable that these fake PGP keys are the result of corporate industrial espionage or organized crime outfits, rather than intelligence agencies who would use compromised X509, network cards or binary code blobs. He believes that it is unlikely that an intelligence agency would want Bitcoin, as they could easily intercept ASIC miners instead. He suggested that Core's Mac DMGs are signed for Gatekeeper, but asked if Windows binaries are codesigned. If not, it would be a good idea to do so, especially because AV scanners learn key reputations to reduce false positives. While Linux does not support X.509 code signing, he emphasized that real operating systems use package managers with PGP instead of pre-compromised X.509.
Updated on: 2023-06-08T15:41:47.554570+00:00