Canary Issues

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at support@cryptostorm.is :)
Main Sequence
Posts: 17
Joined: Wed Mar 20, 2019 12:52 am

Canary Issues

Post by Main Sequence » Sun Sep 27, 2020 3:43 pm

For people who are supposed to be experts in privacy and security, your warrant canary has a few issues!

Your canary is signed with the obsolete SHA-1 hash, which is now widely deprecated, because it is prone to hash collisions, meaning it is effectively BROKEN. It would only take a minor tweak to your config settings to use SHA-512 as your default hash algorithm.

Second, the version of PGP used to sign that Canary is: GnuPG v2.0.22 (GNU/Linux).

I find it interesting that you are still using such old, outdated software -- the 2.0 branch of GnuPG was end-of-life'd on December 31st, 2017 -- almost 3 full years ago!
GNU Privacy Guard - Wikipedia

Before the release of GnuPG 2.2 ("modern"), the now deprecated "stable" branch (2.0) was recommended for general use, initially released on November 13, 2006. This branch reached its end-of-life on December 31, 2017; Its last version is 2.0.31, released on December 29, 2017.

Main Sequence
Posts: 17
Joined: Wed Mar 20, 2019 12:52 am

Re: Canary Issues

Post by Main Sequence » Wed Sep 30, 2020 1:35 pm

Thank you for addressing the issue I raised so promptly.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

As of September 29, 2020, cryptostorm has not received any National Security Letters or FISA court orders, and we have not been subject to any gag order(s) by a FISA court, or any other similar court(s) of
any government. cryptostorm has never placed any backdoors in our hardware or software and has not received any requests to do so. cryptostorm has never disclosed any user communications to any third par
ty. No searches or seizures of any kind have ever been performed on cryptostorm assets.

This canary will be updated quarterly, with the next update being December 31 in 2020.
After that, it will be updated on March 31 in 2021.
The updates will be performed manually, so the update might be off by a day or two at the most.

Recent headlines:
6 things to look for in the first Biden-Trump presidential debate - https://edition.cnn.com/2020/09/29/poli ... index.html
Boris Johnson apologises for confusing his own lockdown rules - https://www.telegraph.co.uk/politics/20 ... ws-latest/

To verify this message, on the terminal import our public key from pgp.mit.edu or any of the other popular keyservers:
$ gpg --keyserver pgp.mit.edu --recv-key E9C7C942
gpg: requesting key E9C7C942 from hkp server pgp.mit.edu
gpg: key E9C7C942: public key "cryptostorm support (keybase.io/cryptostorm) <support@cryptostorm.is>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
$ gpg2 --fingerprint E9C7C942
pub 4096R/E9C7C942 2015-01-22
Key fingerprint = 4D87 F984 A222 8392 57FE 36A5 BBDB 991A E9C7 C942
uid cryptostorm support (keybase.io/cryptostorm) <support@cryptostorm.is>
uid [jpeg image of size 14369]
uid [jpeg image of size 20640]
sub 4096R/E9F7009A 2015-01-22
$ gpg --verify canary.txt
gpg: Good signature from "cryptostorm support (keybase.io/cryptostorm) <support@cryptostorm.is>"

There will most likely be other lines in the output from that last command, but as long as it says "Good signature", the verification worked correctly.
Our PGP public key is also available at https://keybase.io/cryptostorm and https://onename.com/cryptostorm
-----BEGIN PGP SIGNATURE-----

iQJLBAEBCgA1FiEETYf5hKIig5JX/jalu9uZGunHyUIFAl9zeMQXHHN1cHBvcnRA
Y3J5cHRvc3Rvcm0uaXMACgkQu9uZGunHyULnDQ//auzA+4Yf3TeXIsaGHX6j9Gux
1AVRgIecGgSV6ARS8ypsOS3qCyT4RJPPDHwKjVnCpgY+rhiEVF3BUZeJ/mAAioLq
TFARxxix7Imioysvty5QDctBhmBWlOlELlnEmSJWxCyg+NkKmFthgKnHnMAa9Bp0
LgvzPfWqI+4lvseaxwLDLe1M+U0lmdDLve7FbGeJhzH0VUI5DtMO1Ekjob75xqJU
vorPKsG4EUgZDI8CQbIA7gGgVc3BGAiDWewUgESqAkLC716ivqLUIIZB7q1+cwml
qm0PctwtNGIxUpNL5P7FC0l/3xD59S+BFQpGMcrIih8zXTj52eVquqt3N5Ki9aqr
h8oxN/D36Ml4AIgu9K3tgLurPalLAMJwsHqhYrJgXsHLxm5F+dLeAiBdDjMjqWwX
/0iewOCSm2jonXdBtcjfBotN8esg3GToBfqonWDkAjP0Q5MNa7+vJUaTXkQK3CI5
0KxIv3/nTCM4Pn1Ts9Dd/T/0RJxwnTBjIvIHUZfm8S/FubmT6IoUlzJPTZ8GE/M5
0DdN64nLoQzIJJED8RvT3/uotgq8by/0WBLLdyFD8cILBKTFNTENM537sc1vSnLz
vgcGpJMP8k9rkRaUsOEKQpZaL63eg0AboJ8+bojThCiMEaMF2dkNjiow1RfkXsU5
OvFnaR6HAMb48TFwwfE=
=c6K4
-----END PGP SIGNATURE-----

gpg: Signature made Tue 29 Sep 2020 06:11:16 PM UTC
gpg: using RSA key 4D87F984A222839257FE36A5BBDB991AE9C7C942
gpg: issuer "support@cryptostorm.is"
gpg: Good signature from "cryptostorm support (keybase.io/cryptostorm) <support@cryptostorm.is>" [unknown]

Post Reply