Signature Verification Before Opening

Werner Koch wk@gnupg.org
Wed May 15 21:17:01 2002


On Wed, 15 May 2002 16:23:00 GMT, Thomas Wadner said:

> stop virii that are linked to attachements.  Since virii can't sign
> an email (unless you cache your passphrase or set it to auotmatically

I bet you will see this as soon as email signing becomes mainstream.
There is nothing to stop malicious code to sniff on the keyboard and
siletently sent signed mails.  All it needs is to get the right to
executes a few bytes initally.  And yes, this may also happen on
non-Windows boxes.

The only practical countermeasure I can think of is to have an
external crypto token with a display and a counter so that you can at
least detect that something was signed without your knowledge.  But
even this is not failsafe because the malware might wait until you
sign something and substitute your text with its own text while
sending out your real mail without a signure.

> can verify that it was really sent.  At this point of know of no
> virii that can be spread just by being sent to a person (as of yet)

I remember a procmail bug which could be exploited in this way and
any bug in the mailbox parsing code of a MUA may lead to an exploit.

> wouldn't be feasible - and wise - to have a program (or script) that
> verify signatures _before_ they are opened, or for that matter even
> downloaded to the computer?  It would seem to me for Unix based

I read hundreds of mail a day from persons I don't know - so how
should I be sure that it is a valid signature - well, I could choose
to trust VeriSign et al. ;-)

> an automessage sent back to the person saying: The message sent on [ 
> ] with the subject [ ] has been rejected due to an invalid

and telling spammers about a valid email address..

> I'm not sure on the standars of iptables (and similar) so it might
> have to be a seperate program.

IP is not the right level for this.

  Werner