Re: [PLUG] gpg spoof?

Jeff Abrahamson on Thu, 4 Sep 2003 10:51:14 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] gpg spoof?

From: Jeff Abrahamson <jeff@purple.com>

To: PLUG <plug@lists.phillylinux.org>

Subject: Re: [PLUG] gpg spoof?

Date: Thu, 4 Sep 2003 10:49:22 -0400

Mail-followup-to: PLUG <plug@lists.phillylinux.org>

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mutt/1.5.4i

On Thu, Sep 04, 2003 at 10:28:51AM -0400, David Shaw wrote: > [40 lines, 300 words, 1890 characters] Top characters: etnsioa_ > > On Thu, Sep 04, 2003 at 08:39:46AM -0400, Jeff Abrahamson wrote: > > I received an encrypted and signed email which I decrypt and verify by > > piping through gpg (no options). The output looked like below (the > > part indented by two spaces). > > > > In mutt, I type "|gpg<return>" > > > > Now, I don't suspect Erin was trying to spoof me, and she had enclosed > > a semi-random string that I had encrypted to her. So this one case > > doesn't bother me. > > > > But, in general, how can I distinguish between the end of the > > encrypted message and the beginning of the "gpg: Signature ..." stuff? > > Couldn't someone just include such a (forged) signature block at the > > end of their message, then encrypt the whole thing without signing, > > and so convince me that the message was signed by someone else? > > This is a known attack against signature systems that display the > signature status along with the message text. The mutt mail reader > had this problem (and resolved it in part by putting the current time > in the verification message, outside of the GnuPG output). > > In the case of GnuPG, there are several ways to prevent being fooled: > > 1) Note that the signature verification message and the message itself > go to two different file descriptors. The message goes to stdout, > but the verification goes to stderr. > > 2) Decrypt to a file (gpg -o decrypted.txt). The file gets the > plaintext and the signature will still show up on the console. If > you see a signature in the file, it's a spoof. > > That said, I'm not opposed to a more rigorous warning... I need to > think about that a bit more. Could gpg use the same solution that mutt used: add a line that says, "Signature verified at `date`"? -- Jeff Jeff Abrahamson <http://www.purple.com/jeff/> GPG fingerprint: 1A1A BA95 D082 A558 A276 63C6 16BF 8C4C 0D1D AE4B
Attachment: pgpOubiROrLCx.pgp
Description: PGP signature

Follow-Ups:

Re: [PLUG] gpg spoof?
From: David Shaw <dshaw@jabberwocky.com>

References:

[PLUG] gpg spoof?
From: Jeff Abrahamson <jeff@purple.com>

Re: [PLUG] gpg spoof?
From: David Shaw <dshaw@jabberwocky.com>

Prev by Date: Re: [PLUG] gpg spoof?

Next by Date: Re: [PLUG] gpg spoof?

Previous by thread: Re: [PLUG] gpg spoof?

Next by thread: Re: [PLUG] gpg spoof?

Index(es):

Date

Thread