Re: PGP Signed Messages

From: Dennis V. Kudin (kudin@bezpeka.com)
Date: 10/17/01

• Previous message: Peter Gutmann: "Re: PGP Signed Messages"
• In reply to: [Segmen]: "PGP Signed Messages"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 17 Oct 2001 11:53:39 +0200
From: "Dennis V. Kudin" <kudin@bezpeka.com>
Message-ID: <1235667559.20011017115339@bezpeka.com>
To: dontpanic999@yahoo.com, vuln-dev@securityfocus.com, bugtraq@securityfocus.com
Subject: Re: PGP Signed Messages

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Monday, October 15, 2001, 5:27:33 PM, you wrote:
> It occurred to me today what a bad idea the Comment Field is in PGP
> signed messages. Altering the Comment filed does not affect the
> validity of the signature, but to the non experienced PGP/GPG user
> it certainly appears to be part of the message.

The risk depends on the way of signature verification. I can give a
simple example when such "comment field" can really spoof the
unexperienced user:

Mail client: TheBat! with PGP 6.0.x/6.5.x plug-in installed. When you
check PGP signature of some message, it DOESN'T show up the text of
verified message. It only says whether the signature is good or bad,
shows the name of mailer, signer, validity status and date/time. So,
in any case you read the whole text of signed message including all
fields.

____________________________________________
Sincerely,
Dennis V. Kudin
Ukrainian Information Security Center
Coordinator of Internet-portal BEZPEKA
e-mail: kudin@bezpeka.com
web-sites: http://www.bezpeka.com
           http://www.bezpeka.net
           http://www.bezpeka.org
phone: +380-612-12-92-83
fax: +380-612-12-92-82

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5i

iQA/AwUBO805DTRm6ItERtt2EQJFEACfa0N+e2SsKiGH/PTc1FSzUQ/QoUQAnRBJ
jQck+9JcZBrA4FofFVwPk1C/
=fYAo
-----END PGP SIGNATURE-----

---

• Previous message: Peter Gutmann: "Re: PGP Signed Messages"
• In reply to: [Segmen]: "PGP Signed Messages"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: PGP Signed Messages ... Subject: PGP Signed Messages ... > Hash: SHA1 ... The signature is still valid. ... (Bugtraq) Re: PGP Signed Messages ... Subject: PGP Signed Messages ... > Hash: SHA1 ... The signature is still valid. ... (Vuln-Dev) Re: OT: Alan Connor ... your E-mail or Usenet software does not support MIME signed messages. ... The Internet standard for MIME PGP messages, RFC 2015, was published in 1996. ... (news.software.readers) Re: PGP Signed Messages ... Subject: PGP Signed Messages ... I'm using 7.0.3 PGP on win2k. ... > Hash: SHA1 ... (Vuln-Dev) Re: The whole Process ... S/MIME aware application to fool you :-) ... > has an invalid signature. ... > embedded in email and news clients from Microsoft and Netscape for years. ... Recently Spammers illustrated this perception problem by forging PGP ... (microsoft.public.platformsdk.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > vuln-dev  > 2001-10