Re: [Full-Disclosure] a PGP signed mail? Has to be spam!

From: Michael Gale (michael_at_bluesuperman.com)
Date: 11/12/03

  • Next message: Daniel: "Re: [Full-Disclosure] a PGP signed mail? Has to be spam!"
    To: full-disclosure@lists.netsys.com
    Date: Tue, 11 Nov 2003 20:54:11 -0700
    
    
    

    Hello,

            Do you know how PGP signatures work, you need to have the person who
    signed it / created the PGP sig to somehow securely provide you with
    their key to validate it.

    For example look at this message - it have a PGP signature that my mail
    client says it very good. It trusts it - but according to the PGP
    signature this e-mail is from Bill Gates, from bill@microsoft.com

    PGP is NOT secure AT ALL unless we all start trading keys via a secure
    means. That is why it has never taken off.

    Michael.

    On Tue, 11 Nov 2003 20:15:56 -0700
    Scott Taylor <security@303underground.com> wrote:

    > On Tue, 2003-11-11 at 19:22, onedo@gmx.net wrote:
    > > Hi everyone
    > >
    > > I had to notice something today that really disturbed me. A friend
    > > of mine(working for a very big company) complained, that she doesn't
    > > get any mails from me anymore. It turned out, that apparently my
    > > mails went straight into the spam filter, as I signed everyone of
    > > them. When I sent unsigned mails, she got them. What do we learn?
    > > Crypto is bad m'kay? But for real, does that mean that we won't be
    > > able to sign any mails anymore soon, due to the spam problem(and
    > > stupid admins)?'EGovernment' is the big word everywhere nowadays.
    > > The electronic signature is mentioned as a way to ensure the
    > > credidibility of sender and receiver. Now what?
    > > Guys(and girls), the situation sucks. What do you think? And, most
    > > important of all, do you see any way to fight this behaviour?
    > > Because honestly, I don't.
    > > Greets
    > >
    > > $me
    >
    > Quite the opposite. My bayesian filter is learning to love signed
    > messages. I'd probably start rejecting any non-signed messages just
    > on principle if I didn't have so many friends that paid for their
    > operating system. Your friend's company probably overpaid for their
    > spam filter too. She should send a note to her boss, the mail admin,
    > etc. saying that *business contacts* are being blocked due to poor
    > filtering. They tend to pay a little more attention if they think its
    > affecting their sales.
    >
    > I don't know any spammers that actually sign with valid gpg
    > signatures. And even if they did, their fingerprint would give us
    > something to specifically blacklist. It would be worth the effort to
    > have the mailserver itself verify signatures if enough people used
    > them. Decent mail clients make signing and checking signatures easy,
    > and they do a good job now of turning otherwise ugly blocks of random
    > text into a nice little 'valid signature' icon. Its not so much that I
    > think someone is going to spoof a friend's email account although with
    > all the poser viruses out there, a message claiming to be from me but
    > unsigned should raise concern among the people I regularly email.
    >
    >
    > --
    > Scott Taylor - <security@303underground.com>
    >
    > Anyone who goes to a psychiatrist ought to have his head examined.
    > -- Samuel Goldwyn
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html



  • Next message: Daniel: "Re: [Full-Disclosure] a PGP signed mail? Has to be spam!"

    Relevant Pages

    • Re: What Good is PGP?
      ... there is no secure way to exchange public keys other than hand-to-hand. ... I thought one of the great things about pgp was that it allows ... > anyone in the computer security industry. ... to verify your key, you copy this signature down to paper, ...
      (alt.computer.security)
    • Re: What Good is PGP?
      ... > But it seems to me that there is a huge hole in the whole PGP scheme. ... > problem with the secure distribution of keys as you could never be ... anyone in the computer security industry. ... to verify your key, you copy this signature down to paper, ...
      (alt.computer.security)
    • Re: The whole Process
      ... S/MIME aware application to fool you :-) ... > has an invalid signature. ... > embedded in email and news clients from Microsoft and Netscape for years. ... Recently Spammers illustrated this perception problem by forging PGP ...
      (microsoft.public.platformsdk.security)
    • RE: Best for of signature
      ... I bought the Verisign digital ID, ... like PGP). ... and the digital signature won't modify my document. ... read the encrypted email unless I kept my old ID. ...
      (Security-Basics)
    • Ugly PGP signatures, was re: C : how to export raw YUV to a file ?
      ... >> PGP could simply add a header that would contain the signature of the ... >> message body, ignoring all other headers, and it would be fine. ... > able to verify the original author's signature. ... still a lot better than downloading a lot of message bodies. ...
      (comp.programming)