PGP sign highlight on mutt

From: Ademar de Souza Reis Jr. (ademar@conectiva.com.br)
Date: 10/24/01

• Previous message: Oliver Bleutgen: "Re: IE 5.0 - Possible Cache Security Risk"
• Next in thread: Zen: "Re: PGP sign highlight on mutt"
• Reply: Zen: "Re: PGP sign highlight on mutt"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 24 Oct 2001 12:38:58 -0200
From: "Ademar de Souza Reis Jr." <ademar@conectiva.com.br>
To: vuln-dev@securityfocus.com
Subject: PGP sign highlight on mutt
Message-ID: <20011024123858.B983@conectiva.com.br>

Hi there.

When you receive a PGP signed message on mutt (a very popular text
based mail client), there are some ways you know it's signed:

1. The flags "s" or "S" in the message index (and in the bottom of a msg)
2. A message like "PGP signature successfully verified" in the bottom when
   opening a message
3. A *highlighted* message body with the gpg output (example given below)

"

[-- PGP output follows (current time: Tue 23 Oct 2001 05:10:41 PM BRST) --]
gpg: Warning: using insecure memory!
gpg: Signature made Tue 23 Oct 2001 04:35:11 PM BRST using DSA key ID 825F1270
gpg: Good signature from "Ademar de Souza Reis Junior <ademar@conectiva.com.br>"
[-- End of PGP output --]

[-- The following data is signed --]

Hi there.

[]'s
   - Ademar

[-- End of signed data --]
"

The point here is that since the most notorious one is (3), you can
copy&paste it in a message body (change times and some details) and
let mutt users think a message is signed when it's not.

In fact, I did it here in the company I work for. Since almost everybody
uses mutt in my department, it was easy to send a message with the
"From: " adultered and "signed" as the boss. (Yes, the boss didn't like
it, but he understood since I explained it was a "proof of concept") :)

Yes, you can consider this just a "human mistake", a "social exploit"
or whatever you want, but I think mutt could help avoiding that easily:

It could highlight the text only when it cames from gpg and not
every time it appears in the message body
or
It could interact with gpg in some other (better) way.
or
[put your solution here]

BTW, does that "vulnerability" applies to other mail clients too?

[]'s
   - Ademar

---

• Previous message: Oliver Bleutgen: "Re: IE 5.0 - Possible Cache Security Risk"
• Next in thread: Zen: "Re: PGP sign highlight on mutt"
• Reply: Zen: "Re: PGP sign highlight on mutt"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: PGP sign highlight on mutt ... PGP sign highlight on mutt ... >> on the status line on the bottom of the message, ... (Vuln-Dev) Re: PGP sign highlight on mutt ... PGP sign highlight on mutt ... > signed message, I need to use ^L to get my screen to redraw after the call to ... > pgp messes it up;) I use that as a solid indicator that pgp ran... ... On mutt 1.2.5i and probably some versions before that, ... (Vuln-Dev) Re: PGP sign highlight on mutt ... PGP sign highlight on mutt ... I don't know about you (or your mutt config), but mine shows a little "s" ... (Vuln-Dev) Re: [kde-linux] Sound over ssh? ... using mutt too. ... How is the climate for GPG in America?) ... uni a month ago, but a couple of guys here have keys. ... planning stages yet. ... (KDE) Re: Gnu pgp ... > good with a fetchmail, procmail, spamassassin, mutt based e-mail ... Yeah, I use that combination, although I don't actually have GPG set ... You'd be surprised how many people think Outlook is sensible. ... (Debian-User)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > vuln-dev  > 2001-10