lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: michael at bluesuperman.com (Michael Gale)
Subject: a PGP signed mail? Has to be spam!

Hello,

	Do you know how PGP signatures work, you need to have the person who
signed it / created the PGP sig to somehow securely provide you with
their key to validate it. 

For example look at this message - it have a PGP signature that my mail
client says it very good. It trusts it - but according to the PGP
signature this e-mail is from Bill Gates, from bill@...rosoft.com

PGP is NOT secure AT ALL unless we all start trading keys via a secure
means. That is why it has never taken off.

Michael.



On Tue, 11 Nov 2003 20:15:56 -0700
Scott Taylor <security@...underground.com> wrote:

> On Tue, 2003-11-11 at 19:22, onedo@....net wrote:
> > Hi everyone
> > 
> > I had to notice something today that really disturbed me. A friend
> > of mine(working for a very big company) complained, that she doesn't
> > get any mails from me anymore. It turned out, that apparently my
> > mails went straight into the spam filter, as I signed everyone of
> > them. When I sent unsigned mails, she got them. What do we learn?
> > Crypto is bad m'kay? But for real, does that mean that we won't be
> > able to sign any mails anymore soon, due to the spam problem(and
> > stupid admins)?'EGovernment' is the big word everywhere nowadays.
> > The electronic signature is mentioned as a way to ensure the
> > credidibility of sender and receiver. Now what?
> > Guys(and girls), the situation sucks. What do you think? And, most
> > important of all, do you see any way to fight this behaviour?
> > Because honestly, I don't. 
> > Greets
> > 
> > $me
> 
> Quite the opposite. My bayesian filter is learning to love signed
> messages.  I'd probably start rejecting any non-signed messages just
> on principle if I didn't have so many friends that paid for their
> operating system. Your friend's company probably overpaid for their
> spam filter too. She should send a note to her boss, the mail admin,
> etc. saying that *business contacts* are being blocked due to poor
> filtering. They tend to pay a little more attention if they think its
> affecting their sales.
> 
> I don't know any spammers that actually sign with valid gpg
> signatures. And even if they did, their fingerprint would give us
> something to specifically blacklist. It would be worth the effort to
> have the mailserver itself verify signatures if enough people used
> them. Decent mail clients make signing and checking signatures easy,
> and they do a good job now of turning otherwise ugly blocks of random
> text into a nice little 'valid signature' icon. Its not so much that I
> think someone is going to spoof a friend's email account although with
> all the poser viruses out there, a message claiming to be from me but
> unsigned should raise concern among the people I regularly email. 
> 
> 
> --
> Scott Taylor - <security@...underground.com> 
> 
> Anyone who goes to a psychiatrist ought to have his head examined.
> 		-- Samuel Goldwyn
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031111/5219bcce/attachment.bin

Powered by blists - more mailing lists