WKD vs VV and VVV
Bernhard Reiter
bernhard at intevation.de
Wed Apr 25 13:36:46 CEST 2018
Am Mittwoch 25 April 2018 13:17:16 schrieb Vincent Breitmoser:
> > as WKD is not "walkable"
>
> E-Mail addresses are fairly walkable. If you consider a namespace like
> gmail, you'd likely be able to find a lot of valid addresses (and their
> keys) with a simple dictionary attack that combines names and numbers in
> the typical ways they are used in email addresses.
I agree, of course. You can try the email provider's SMTP by use of a
distributed bot-net for each address and you'd certainly find all of them
with overseeable effort.
In more detail, my point is that WKD is not by concept "walkable" like a phone
book or and it is not brute-forceable like a list of hashes on disk.
There are tactics defending against trying all email addresses via wkd, e.g.
you could deliver fake pubkeys for each email-address, block pattern requests
from certain network AS or just delay online requests. In the end this is
nothing a well-funded and equipped attacker couldn't overcome, but still it
raises the costs a little bit which I believe is important to many.
(Otherwise it wouldn't be listed in a number of security goals declarations.)
Regards,
Bernhard
--
www.intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180425/ff1bf4b2/attachment.sig>
More information about the Gnupg-devel
mailing list