| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: michael at bluesuperman.com (Michael Gale) Subject: a PGP signed mail? Has to be spam! Hello, Do you know how PGP signatures work, you need to have the person who signed it / created the PGP sig to somehow securely provide you with their key to validate it. For example look at this message - it have a PGP signature that my mail client says it very good. It trusts it - but according to the PGP signature this e-mail is from Bill Gates, from bill@...rosoft.com PGP is NOT secure AT ALL unless we all start trading keys via a secure means. That is why it has never taken off. Michael. On Tue, 11 Nov 2003 20:15:56 -0700 Scott Taylor <security@...underground.com> wrote: > On Tue, 2003-11-11 at 19:22, onedo@....net wrote: > > Hi everyone > > > > I had to notice something today that really disturbed me. A friend > > of mine(working for a very big company) complained, that she doesn't > > get any mails from me anymore. It turned out, that apparently my > > mails went straight into the spam filter, as I signed everyone of > > them. When I sent unsigned mails, she got them. What do we learn? > > Crypto is bad m'kay? But for real, does that mean that we won't be > > able to sign any mails anymore soon, due to the spam problem(and > > stupid admins)?'EGovernment' is the big word everywhere nowadays. > > The electronic signature is mentioned as a way to ensure the > > credidibility of sender and receiver. Now what? > > Guys(and girls), the situation sucks. What do you think? And, most > > important of all, do you see any way to fight this behaviour? > > Because honestly, I don't. > > Greets > > > > $me > > Quite the opposite. My bayesian filter is learning to love signed > messages. I'd probably start rejecting any non-signed messages just > on principle if I didn't have so many friends that paid for their > operating system. Your friend's company probably overpaid for their > spam filter too. She should send a note to her boss, the mail admin, > etc. saying that *business contacts* are being blocked due to poor > filtering. They tend to pay a little more attention if they think its > affecting their sales. > > I don't know any spammers that actually sign with valid gpg > signatures. And even if they did, their fingerprint would give us > something to specifically blacklist. It would be worth the effort to > have the mailserver itself verify signatures if enough people used > them. Decent mail clients make signing and checking signatures easy, > and they do a good job now of turning otherwise ugly blocks of random > text into a nice little 'valid signature' icon. Its not so much that I > think someone is going to spoof a friend's email account although with > all the poser viruses out there, a message claiming to be from me but > unsigned should raise concern among the people I regularly email. > > > -- > Scott Taylor - <security@...underground.com> > > Anyone who goes to a psychiatrist ought to have his head examined. > -- Samuel Goldwyn > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 307 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031111/5219bcce/attachment.bin
Powered by blists - more mailing lists