gnupg encrypted mail and malware/spam
Thomas Scheffczyk
thomas.scheffczyk@verwaltung.uni-mainz.de
Sun May 11 13:28:03 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Anthony E. Greene schrieb:
>>If gnupg is used to protect mail messages it also disables all server
>>based protection measures against malware and spam. No virus scanner nor
>>spam filter an firewalls or gateways can check the encrypted messages.
>
> Your needs are not well addressed by GnuPG. You should consider buying
> some of the tools offered by PGP Corp.
>
> http://www.pgp.com/
>
Hello Tony, hello all,
thank you all for your comments and suggestions.
Perhaps I'm to pessimistic, but I do not share the opinion that it would
to much work for spammers to encrypt (not sign) their messages. I can
imagine that the success ratio of an encrypted spam would be remarkably
higher compared with a unencrypted and often filtered message :-(
Just a comment to pgp: I used the commercial version of pgp for a
while, but if even possible I will never do again. I bought quite a
couple of licences just a month before NAI decided to set the
development of pgp to hold. The worst thing was, that it wasn't possible
to use pgp on WinXP and I really didn't want to maintain different
programs for each platform.
I guess that my question was a little misleading and to spam centric. A
graphical firewall and a gateway for checked files would be a possible
solution. Another solution would be to accept encrypted messages only
for functional (i.e. non personal) mail to avoid any kind of key escrow
for personal keys.
Until now, no comment was given to my first post scriptum:
'I do not fear 'ordinary' viruses or other malware. What i really fear
is a sophisticated attacker that send on a very slow rate backdoors to
single users in my network. I can not guarantee the really no user will
start the program. If it is started, it's easy to create a backchannel
over allowed traffic like http.'
Does nobody fear this, too? I'm very surprised that this threat was
never discussed in the context of public key infrastructures. I know a
couple of big institutions (please apologize that I don't list the
institutions right here) that do allow personal use of encryption, but
only one (a health insurance company) was aware of this problem. (Their
solution is to allow cryptography only for special messages like data
exchange with universities ;-)
Hoping for more comments and suggestions,
Yours,
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
iD8DBQE+vjPvICWLj6LjFjIRAuUmAJ0cPXRJdXMXAzkI9cw5UTBz8o5XBgCgrFsr
ukGIg2Ew+UjScLFicmcEywU=
=5VpT
-----END PGP SIGNATURE-----