Eugene Smiley on Thu, 4 Sep 2003 09:22:06 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] gpg spoof?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeff Abrahamson wrote:

> Now, I don't suspect Erin was trying to spoof me, and she had enclosed
> a semi-random string that I had encrypted to her. So this one case
> doesn't bother me.

According to what you listed...

> gpg: Signature made Thu 04 Sep 2003 12:15:32 AM EDT using DSA key ID
A54DA2DF
> gpg: Good signature from "Erin Mulder <meara@alumni.princeton.edu>"
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to
the owner.
> Primary key fingerprint: 8609 5F8C E335 F93F 40CC  14B8 10FA 4C88
A54D A2DF

It is just warning you that the siganture is good, but that this
person doesn't have a signature that you trust. In PGP you would get
something like this:

*** Status:   Good Signature from Invalid Key
*** Alert:    Please verify signer's key before trusting signature.

> But, in general, how can I distinguish between the end of the
> encrypted message and the beginning of the "gpg: Signature ..." stuff?
> Couldn't someone just include such a (forged) signature block at the
> end of their message, then encrypt the whole thing without signing,
> and so convince me that the message was signed by someone else?

It is possible. One Spammer has even tried using fake PGP sigs to try
to get a few "bonus" points from SpamAssassin. This is always easy to
spot.

However, trying to fake the signature verification is harder if that's
what you are refering to. The 'attacker' would need to know about your
specific setup to make it convincing, but it would still be noticable
if you were to look at the original message and verify it manually.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-nr2 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/VzxC6QPtAqft/S8RAmGDAJ96LnEe5cras2IVS3AShIDDG9aZfwCfSAwj
1+MfNoYDjZnAwgSM6VGasgY=
=ULIc
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature