easy way to confirm email validity

Peter Todd pete at petertodd.ca
Sun May 27 09:12:59 CEST 2007


On Thu, May 24, 2007 at 06:14:30PM -0500, Andrew Berg wrote:
> Peter Todd wrote:
> > The *only* thing included in the hash is what is between the START
> > and END bits, that's it, no headers no nothing. I'm not positive,
> > but I belive the MIME based PGP is pretty similar. Of course, this
> > means that you can fake the headers without invalidating the
> > signature...
> Can that really do any harm? Besides, of course, confusing a novice
> recipient.

Depends. I have a little system setup on my email that allows me to
create a specially formatted email that will trigger a procmail script
that appends the email to a file. In my case I rely completely on
security by obscurity, if the email is formatted correctly, anyone can
append to that file.

But suppose I considered it important for only me to be able to trigger
that script. So I decide to reply on digital signatures. A naive setup,
that simply appended anything that verified correctly, could allow the
attacker to easilly disrupt the setup with tonnes of bogus messages. A
basic replay attack.

And besides, confusing a novice is the source of the highly disrupting
worms and trojans that are allowing spammers to operate so freely...

-- 
http://petertodd.ca
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/attachments/20070527/2cd8ee31/attachment-0001.pgp 


More information about the Gnupg-users mailing list