GPG PGP S/Mime vulnerability
Guy Van Sanden
Fri Aug 3 12:52:01 2001
I've read through Don Davis' whitepaper about the disadvanteges of the=20=
current sign (and encrypt) features in all common standards to do so.
His basic reasoning (and I've tried it, it works!) is:
I send a signed message to someone stating "you're fired". He gets=20
angry and decides to get even with another collegue...
Using SMPT he puts my address in the from header, then pastes the=20
entire source of my signed message to him in the body (including the=20=
signatures), and sends it of to someone else...
That last person opens a message, which he thinks comes from me, and=20=
trusts the contents because the signature is verified!
More info is over here: