diff --git a/cure53-Security-Audit-2015.md b/cure53-Security-Audit-2015.md index b2e8e42..2227082 100644 --- a/cure53-Security-Audit-2015.md +++ b/cure53-Security-Audit-2015.md @@ -17,7 +17,7 @@ FIXED IN ### OKC-01-006 Keyserver can send arbitrary Public Keys without Verification (Low) A comparison of user ids is difficult to implement as keyservers could, in some circumstances, return User IDs with a broken encoding. We would also need to check for revocation status, key size etc. which introduces much code complexity. Downloading all search results and parsing them locally before prompting the user which key(s) he wants would result in too much network traffic. Keys are several to many kilobytes in size, e.g., 66kb. -WONTFIX FOR NOW +FIXED in 4.2: Before importing keys from keyservers, they are downloaded fully, verified, and displayed to the user. ### OKC-01-009 Bypassable Fingerprint-Check for Key Exchange via QR Code (High) The fingerprint check is now performed after canonicalization and the method has been changed to check primary and mutually bound keys only.