PGP-signed webpages

Adrian 'Dagurashibanipal' von Bidder avbidder@fortytwo.ch
Mon Sep 16 22:04:02 2002


--=-OuK9V8Dtpd7+DX6iiTIw
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Mon, 2002-09-16 at 19:30, Per Tunedal wrote:

> >I don't think having webpages signed is very reliable - the HTTP
> >protocol negotiates supported character encodings of the server and
> >client and might just decide to recode the document to a character set
> >supported on the client side.=3D20
> >
> >I don't know if any current webserver actually does this, but it's
> >something to consider.

> Hi vbi,
> interesting if signing av web-pages is rubbish.=20

I didn't exactly say it's rubbish. I just said it's probably not
reliable.=20

The intent to protect webpages is certainly ok; and sign webpages
offline has various advantages over having them just transmitted over
SSL - notably a cracker can obviously not just replace it and nobody
notices. (Well, in theory. In practice, probably only few people would
ever verify a signed website if it's read not only by crypto-freaks).

The big problem, as I said, is that it's in theory perfectly legal for
the webserver to encode the webpage into a different character set so
that the browser can read it. Or for the browser to recode it (again) to
the platform native character set prior to saving it.

In the end, you might end up with webpages, that verify sometimes - with
users not reacting if a webpage does not verify, rendering signatures
basically useless.

Using only US ASCII (which every browser should understand without the
need to convert it...) and/or configuring the browser to serve the pages
as 'binary' (but this would probably cause browsers to do stupid
things...) would be possible countermeasures to still enable signatures.
Or serving the content by ftp.

For the future, one could hope that the XML signing standard would be
supported by browsers (Honestly, I doubt it. But it would be a
possibility).

> I just found that a company=20
> called "ArticSoft
> " sells a software called "WebAssurity Protector" for signing of webpages=
:
>=20
> "WebAssurity Protector ensures the integrity of your web site content by=20
> enabling you to sign web pages and their attachments."
>=20
> Is that thus rubbish as well? What means are left for assuring the=20
> integrity of a site?

Companies will sell anything at all. Read the 'cryptogram' newsletter,
the section titled 'dogsomething' (dogshed? doghouse?).

I don't know what this particular product does - but I doubt they could
work around the encoding problem.

cheers
-- vbi

--=20
secure email with gpg                           http://fortytwo.ch/gpg

NOTICE: subkey signature! request key 92082481 from keyserver.kjsl.com

--=-OuK9V8Dtpd7+DX6iiTIw
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iHQEABECADQFAj2GOWctGmh0dHA6Ly9mb3J0eXR3by5jaC9ncGcvcG9saWN5L2Vt
YWlsLjIwMDIwODIyAAoJEIukMYvlp/fW6Z4An2L9SsLmO1FGuXDxtNqQGg8dRSzw
AKCO4oMoVk4ZGlG+iP7+1P564jpANA==
=BzM/
-----END PGP SIGNATURE-----
Signature policy: http://fortytwo.ch/gpg/policy/email.20020822

--=-OuK9V8Dtpd7+DX6iiTIw--