Anyone know what became of the Gaim-E Project?
dshaw at jabberwocky.com
Tue Nov 4 06:32:19 CET 2008
On Nov 3, 2008, at 4:08 PM, David Picón Álvarez wrote:
> From: "Robert J. Hansen" <rjh at sixdemonbag.org>
>> To turn the "I love you" example into an attack, consider this:
>> Alice sends Bob a message saying "Remember, you need to deliver the
>> product at midnight." Bob, who doesn't want responsibility for
>> delivering the product, cuts-and-pastes Alice's message and sends
>> it on to Charlie, forging it as being from Alice. Charlie receives
>> a message that seems to be from Alice, has a meaningful message,
>> and has a valid signature from a trusted key. Charlie delivers
>> the product at midnight. The next day Alice sees the product was
>> delivered, and sends Bob a message saying "thank you for
>> delivering the product, the check is in the mail."
> Fair enough, but I think all these examples rely on faulty or
> insufficient metadata. For instance if the from, to, cc, bcc and
> subject headers were included in the sealing, things like this would
> not happen. (Not sure exactly what headers pgp-mime does include
> much less s/mime).
Both PGP/MIME and S/MIME are built over MIME, and have the same
metadata protection. Specifically, none of the mail headers are
included. This is not a flaw - it's just not how MIME handles this
sort of thing (with some headers covered, and some not). If you want
to protect an message, you protect the entire thing as a message/
rfc822 object which is completely covered. Think of it as treating
the message you are protecting as an attachment to another message.
More information about the Gnupg-users