PGP-signed webpages

Adrian 'Dagurashibanipal' von Bidder
Mon Sep 16 22:04:02 2002

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Mon, 2002-09-16 at 19:30, Per Tunedal wrote:

> >I don't think having webpages signed is very reliable - the HTTP
> >protocol negotiates supported character encodings of the server and
> >client and might just decide to recode the document to a character set
> >supported on the client side.=3D20
> >
> >I don't know if any current webserver actually does this, but it's
> >something to consider.

> Hi vbi,
> interesting if signing av web-pages is rubbish.=20

I didn't exactly say it's rubbish. I just said it's probably not

The intent to protect webpages is certainly ok; and sign webpages
offline has various advantages over having them just transmitted over
SSL - notably a cracker can obviously not just replace it and nobody
notices. (Well, in theory. In practice, probably only few people would
ever verify a signed website if it's read not only by crypto-freaks).

The big problem, as I said, is that it's in theory perfectly legal for
the webserver to encode the webpage into a different character set so
that the browser can read it. Or for the browser to recode it (again) to
the platform native character set prior to saving it.

In the end, you might end up with webpages, that verify sometimes - with
users not reacting if a webpage does not verify, rendering signatures
basically useless.

Using only US ASCII (which every browser should understand without the
need to convert it...) and/or configuring the browser to serve the pages
as 'binary' (but this would probably cause browsers to do stupid
things...) would be possible countermeasures to still enable signatures.
Or serving the content by ftp.

For the future, one could hope that the XML signing standard would be
supported by browsers (Honestly, I doubt it. But it would be a

> I just found that a company=20
> called "ArticSoft
> " sells a software called "WebAssurity Protector" for signing of webpages=
> "WebAssurity Protector ensures the integrity of your web site content by=20
> enabling you to sign web pages and their attachments."
> Is that thus rubbish as well? What means are left for assuring the=20
> integrity of a site?

Companies will sell anything at all. Read the 'cryptogram' newsletter,
the section titled 'dogsomething' (dogshed? doghouse?).

I don't know what this particular product does - but I doubt they could
work around the encoding problem.

-- vbi

secure email with gpg                 

NOTICE: subkey signature! request key 92082481 from

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.0.7 (GNU/Linux)

Signature policy: