tag:gpgtools.tenderapp.com,2011-11-04:/discussions/problems/13667-privacy-leak-in-version-and-comment-headerGPGTools: Discussion 2015-01-09T13:29:09Ztag:gpgtools.tenderapp.com,2011-11-04:Comment/301727702013-11-25T08:34:13Z2014-02-02T09:54:27ZPrivacy Leak in Version: and Comment: header<div><p>We'll see what we can do about this.<br>
One problem which comes to mind is, that we've encountered clients
which rely on the version information, and don't parse the PGP
message in absence of such a version.<br>
Your point however is perfectly valid of course.</p></div>Luke Letag:gpgtools.tenderapp.com,2011-11-04:Comment/301727702014-01-30T17:17:36Z2014-02-02T09:54:26ZPrivacy Leak in Version: and Comment: header<div><p>Hi Fabio,</p>
<p>first, thanks a lot that input. This is a delicate question as
is changing defaults. We do our best to keep users on the latest
MacGPG2 release. But you make a valid point here.</p>
<p>For documentations sake: It is currently possible to deactivate
the display of both version and comment. That is done very easily
via System Preferences > GPGPreferences (see attached screenshot
for what options to set).</p>
<p>As for the default, basically what Luke said. If some clients
require this, I'm not sure if changing the default is currently an
ideal solution.</p>
<p>All the best, steve</p></div>Stevetag:gpgtools.tenderapp.com,2011-11-04:Comment/301727702014-02-02T09:08:39Z2014-02-02T09:54:25ZPrivacy Leak in Version: and Comment: header<div><p>I see that Version information has been fixed by the GnuPG
project and in<br>
all of the new release it's reported only the major version.</p>
<p>I expect that this is the only version information being used by
other<br>
clients.</p>
<p>So, regarding the Comment field, that's where the GnuPG
tools<br>
identification is reported, because it's not used we could remove
it by<br>
default.</p>
<p>What do you think?</p></div>Fabio Pietrosantitag:gpgtools.tenderapp.com,2011-11-04:Comment/301727702014-04-28T07:20:03Z2014-04-28T07:20:04ZPrivacy Leak in Version: and Comment: header<div><p>Hi,</p>
<p>today Enigmail has also been fixed.</p>
<p>So, now Enigmail and GnuPG has both fixed this issue:</p>
<p>GnuPG has been fixed:<br>
<a href=
"https://bugs.g10code.com/gnupg/issue1572">https://bugs.g10code.com/gnupg/issue1572</a></p>
<p>EnigMail has been fixed (yesterday):<br>
<a href=
"http://sourceforge.net/p/enigmail/bugs/216/">http://sourceforge.net/p/enigmail/bugs/216/</a></p>
<p>Would you consider providing such safe defaults?</p></div>Fabio Pietrosantitag:gpgtools.tenderapp.com,2011-11-04:Comment/301727702014-06-01T15:08:09Z2014-06-01T15:15:59ZPrivacy Leak in Version: and Comment: header<div><p>Hi Fabio,</p>
<p>thanks for reminding us of this. And thanks for cross linking
all the issues linking the crypto community together and allowing
to keep track of what's happening in the other development teams
departements :)</p>
<p>This is fixed. New installations will not display the version
info.</p>
<p>All the best,<br>
steve</p></div>Steve