Re: [PLUG] gpg spoof?

Erin Mulder on Thu, 4 Sep 2003 09:45:15 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] gpg spoof?

From: Erin Mulder <meara@alumni.princeton.edu>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] gpg spoof?

Date: Thu, 04 Sep 2003 09:43:34 -0400

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5b) Gecko/20030727 Thunderbird/0.1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

What if you also run |gpg -o temp.txt, then cat temp.txt and compare.

(temp.txt should only get the message not the signature, so if the signature's in there too, then it's a spoof.)

Cheers, Erin

Jeff Abrahamson wrote: | I received an encrypted and signed email which I decrypt and verify by | piping through gpg (no options). The output looked like below (the | part indented by two spaces). | | In mutt, I type "|gpg<return>" | | Now, I don't suspect Erin was trying to spoof me, and she had enclosed | a semi-random string that I had encrypted to her. So this one case | doesn't bother me. | | But, in general, how can I distinguish between the end of the | encrypted message and the beginning of the "gpg: Signature ..." stuff? | Couldn't someone just include such a (forged) signature block at the | end of their message, then encrypt the whole thing without signing, | and so convince me that the message was signed by someone else? | | You need a passphrase to unlock the secret key for | user: "Jeff Abrahamson <jeff@purple.com>" | 2048-bit ELG-E key, ID 29595FCD, created 2002-05-02 (main key ID 0D1DAE4B) | | gpg: encrypted with 2048-bit ELG-E key, ID ADD31B0A, created 2003-08-28 | "Erin Mulder <meara@alumni.princeton.edu>" | gpg: encrypted with 2048-bit ELG-E key, ID 29595FCD, created 2002-05-02 | "Jeff Abrahamson <jeff@purple.com>" | Hi Jeff, | | It was great meeting you all. Thanks for signing my key. | | Cheers, | Erin | | Jeff Abrahamson wrote: | > Hi, Erin. | > | > Could you please respond to this message, signed and encrypted, so | > that I know you are who you say you are? | > | > Here's a semi-random string to include in your response: | > | > 153758709bcbdfc23f745c0b4656939632cfb6df | > | > Thanks. | > | gpg: Signature made Thu 04 Sep 2003 12:15:32 AM EDT using DSA key ID A54DA2DF | gpg: Good signature from "Erin Mulder <meara@alumni.princeton.edu>" | gpg: WARNING: This key is not certified with a trusted signature! | gpg: There is no indication that the signature belongs to the owner. | Primary key fingerprint: 8609 5F8C E335 F93F 40CC 14B8 10FA 4C88 A54D A2DF | | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQE/V0GGEPpMiKVNot8RAjz6AKCYcnD/raL6J+ovny2dkPuwRaI5vQCcDPKC kEBNJ3OGZ8EqIV6sxIxAubs= =9YVl -----END PGP SIGNATURE-----

_________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] gpg spoof?
From: Jeff Abrahamson <jeff@purple.com>

References:

[PLUG] gpg spoof?
From: Jeff Abrahamson <jeff@purple.com>

Prev by Date: Re: [PLUG] gpg spoof?

Next by Date: [PLUG] ghost user

Previous by thread: Re: [PLUG] gpg spoof?

Next by thread: Re: [PLUG] gpg spoof?

Index(es):

Date

Thread